This is an old revision of the document!

PHP RFC: Secure Session Module Options/Internal by Default


HTTP session management is core of Web security. Current default of session module options are weaker than it could be. Secure values by default would be better.


Secure setting should be the default and user should selectively use weaker setting.

NEW: id_length=23 minimum session ID length to mitigate possibility of timing attack. This value must not exceed session ID length.

use_strict_mode=on disallow user supplied session ID and improve session ID security. Most applications work with this option.

cookie_httponly=on disallow use of session ID cookie from JavaScript. It reduces risk of stolen session ID via JavaScript injections. Most applications work with this option.

hash_function=“sha256” SHA-256 has larger bits than SHA-1/MD5. (256 bits vs 160/128 bits) More difficult to guess. i.e. Birthday attack. With stronger hash,collision is less likely.

NIST suggests not to use SHA-1 for “applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010.” Files save handler detects session ID collision (PHP 5.5 and later). Therefore it is out of NIST requirement scope for small sites, but collision detection is up to save handlers.

“sha256” could be unavailable. Session module fallback to SHA-1 silently in this case.

entropy_length=64 entropy_lengh=32 is too short for SHA-256. Default to 64.

hash_bits_per_character=6 Compiled value is 4. php.ini-development/production value is 5. Make both INI and compiled to 6.

Detect collision via PS_VALIDATE_FUNC() When session ID is generated, collision could be checked by PS_VALIDATE_FUNC() if it is available. Check collision in session module instead of save handler module. (Easier use_strict_mode adoption)

Backward Incompatible Changes

id_length: User must change if they use their own shorter session ID. (Good for security)

use_script_mode=on: Do not accept user provided session ID (Good for security)

cookie_httponly=on: JavaScript cannot access session ID cookie (Good for security)

hash_function=“sha256”: Longer session ID string. This would not be issue for almost all (Collision is less likely. Good for security)

hash_bits_per_character=6: Shorter session ID string and more chars in Session ID string. It's 5 in php.ini-development/production. This could not be an issue for almost all apps. (Shorter session ID string with more chars. Better security with id_length.)

Proposed PHP Version(s)

PHP 5.6

Impact to Existing Extensions

Session module

php.ini Defaults

  • hardcoded default values
  • php.ini-development values
  • php.ini-production values

PHP 5.6 id_length=23, use_script_mode=on, cookie_httponly=on, hash_function=1, hash_bits_per_character=6, entropy_length=64 for all

Open Issues

Proposed Voting Choices



VOTE: 2014/02/17 - 2014/02/22

Secure Session Module Options by Default
Real name Yes No
Count: 0 0

Thank you for voting!


After the project is implemented, this section should contain

  1. the version(s) it was merged to
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature


Rejected Features

Keep this updated with features that were discussed on the mail lists.

rfc/secure-session-options-by-default.1392609849.txt.gz · Last modified: 2014/02/17 05:04 by yohgaki