rfc:session-use-strict-mode

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
rfc:session-use-strict-mode [2016/07/08 02:11] yohgakirfc:session-use-strict-mode [2020/08/01 23:51] (current) – Status is "Declined" carusogabriel
Line 1: Line 1:
 ====== PHP RFC: Enable session.use_strict_mode by default ====== ====== PHP RFC: Enable session.use_strict_mode by default ======
-  * Version: 0.9+  * Version: 1.0
   * Date: 2016-07-05   * Date: 2016-07-05
   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
-  * Status: Under Discussion+  * Status: Declined
   * First Published at: http://wiki.php.net/rfc/session-use-strict-mode   * First Published at: http://wiki.php.net/rfc/session-use-strict-mode
  
Line 39: Line 39:
 However, lost sessions are far better than stolen sessions.  However, lost sessions are far better than stolen sessions. 
  
-When attackers set unchangeable session ID cookie for a user, the user will not be able to get valid session ID. i.e. Cannot login via attacker supplied fixed session ID, etc.+When attackers set unchangeable session ID cookie for a user, the user will not be able to get valid session ID. i.e. Cannot login via attacker supplied unchangeable session ID, etc.
  
-3rf party session save handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. 3rf party session save handlers must use PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP. **PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.**+3rd party session save handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. 3rd party session save handlers must use PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP. **PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.**
  
  
Line 85: Line 85:
   * Remove additional session data storage access by extending session save handler API.   * Remove additional session data storage access by extending session save handler API.
  
-===== Proposed Voting Choices =====+===== Vote =====
  
-This project requires 2/3+This project requires 2/3 majority
  
 +<doodle title="Enable session.use_strict_mode by default" auth="Yasuo Ohgaki" voteType="single" closed="true">
 +   * Yes
 +   * No
 +</doodle>
  
 +Vote starts 2016/7/12, ends 2016/07/19 23:59:59 UTC.
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
rfc/session-use-strict-mode.1467943906.txt.gz · Last modified: 2017/09/22 13:28 (external edit)