Differences

This shows you the differences between two versions of the page.

--- rfc:session-use-strict-mode [2016/07/08 02:11] – yohgaki
+++ rfc:session-use-strict-mode [2017/09/22 13:28] – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== PHP RFC: Enable session.use_strict_mode by default ======
-  * Version: 0.9
+  * Version: 1.0
   * Date: 2016-07-05
   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
@@ Line 39: / Line 39: @@
 However, lost sessions are far better than stolen sessions.
-When attackers set unchangeable session ID cookie for a user, the user will not be able to get valid session ID. i.e. Cannot login via attacker supplied session ID, etc.
+When attackers set unchangeable session ID cookie for a user, the user will not be able to get valid session ID. i.e. Cannot login via attacker supplied unchangeable session ID, etc.
-rf party session save handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. 3rf party session save handlers must use PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP. **PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.**
+rd party session save handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. 3rd party session save handlers must use PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP. **PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.**
@@ Line 85: / Line 85: @@
   * Remove additional session data storage access by extending session save handler API.
-===== Proposed Voting Choices =====
+===== Vote =====
-This project requires a 2/3
+This project requires 2/3 majority
+<doodle title="Enable session.use_strict_mode by default" auth="Yasuo Ohgaki" voteType="single" closed="true">
+   * Yes
+   * No
+</doodle>
+Vote starts 2016/7/12, ends 2016/07/19 23:59:59 UTC.
 ===== Patches and Tests =====

Differences

Page Tools