rfc:session-use-strict-mode
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
rfc:session-use-strict-mode [2016/07/04 22:27] – created yohgaki | rfc:session-use-strict-mode [2016/07/28 18:29] – Moved to "under discussion", since voting is currently closed ocramius | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== PHP RFC: Your Title Here ====== | + | ====== PHP RFC: Enable session.use_strict_mode by default |
- | * Version: | + | * Version: |
* Date: 2016-07-05 | * Date: 2016-07-05 | ||
* Author: Yasuo Ohgaki < | * Author: Yasuo Ohgaki < | ||
Line 7: | Line 7: | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | Due to HTTP cookie implementation, | + | Due to HTTP cookie implementation, |
+ | |||
+ | NOTE: When multiple cookies are valid for a request, browser sends a highest precedence cookie. Cookie sent by browsers differs browser by browser because there is no cookie precedence standard. Attacker can exploit this browser behavior to set unchangeable cookies by using httponly, secure, domain and path cookie attributes. Security impact differs according to web site setup, used browser and session handling code. | ||
===== Proposal ===== | ===== Proposal ===== | ||
Line 15: | Line 17: | ||
in hard coded, php.ini-*. | in hard coded, php.ini-*. | ||
+ | |||
+ | Document deprecation of obsolete session save handler API that does not support session.use_strict_mode. | ||
+ | |||
+ | * PS_FUNCS | ||
+ | |||
+ | ===== Performance Impact ===== | ||
+ | |||
+ | session.use_strict_mode=1 requires | ||
+ | |||
+ | * Session ID existence validation. (Additional query to session data storage may be needed depending on save handler implementation.) | ||
+ | * New session ID regeneration required when nonexistent session ID is passed. | ||
+ | |||
+ | Files save handler will not be affected much, but external session data storage may have noticeable impact. | ||
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== | ||
Line 22: | Line 37: | ||
* https:// | * https:// | ||
- | However, lost sessions are far better than stolen sessions. | + | However, lost sessions are far better than stolen sessions. |
- | 3rf party session handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP | + | When attackers set unchangeable session ID cookie for a user, the user will not be able to get valid session ID. i.e. Cannot login via attacker supplied unchangeable session ID, etc. |
+ | |||
+ | 3rd party session | ||
Line 63: | Line 80: | ||
===== Future Scope ===== | ===== Future Scope ===== | ||
- | Session ID should be managed by TTL timestamp | + | * Session ID should be managed by TTL timestamp in order to manage |
+ | * Remove session.use_strict_mode setting and enable it always. | ||
+ | * Remove session_regenerate_id()' | ||
+ | * Remove additional session data storage access by extending session save handler API. | ||
- | ===== Proposed Voting Choices | + | ===== Vote ===== |
- | This project requires | + | This project requires 2/3 majority |
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | Vote starts 2016/7/12, ends 2016/07/19 23:59:59 UTC. | ||
===== Patches and Tests ===== | ===== Patches and Tests ===== |
rfc/session-use-strict-mode.txt · Last modified: 2020/08/01 23:51 by carusogabriel