PHP RFC: Your Title Here

• Version: 0.9
• Date: 2016-07-05
• Author: Yasuo Ohgaki yohgaki@ohgaki.net
• Status: Under Discussion
• First Published at: http://wiki.php.net/rfc/session-use-strict-mode

Due to HTTP cookie implementation, it is easy to create unchangeable/undeletable cookies via JavaScript injections. Single JavaScript injection vulnerability allows attackers to steal user session forever without session.use_strict_mode=1.

Enable session.use_strict_mode INI setting by default.

• session.use_strict_mode=1

in hard coded, php.ini-*.

session.use_strict_mode=1 can result in lost sessions without changes like

• https://wiki.php.net/rfc/precise_session_management (Declined)

However, lost sessions are far better than stolen sessions.

3rf party session handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP must be used. PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.

PHP 7.1.0

None

Session

None

None

session.use_strict_mode=1 for all

• hardcoded default values
• php.ini-development values
• php.ini-production values

3rd party and user defined session save handlers implementation is not affected.

3rf party session handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP must be used. PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.

Session ID should be managed by TTL timestamp precisely in order to session ID is managed correctly.

This project requires a 2/3

Not provided as this change is trivial INI default change. Tests scripts are modified to work regardless of session.use_strict_mode=0/1 already.

After the project is implemented, this section should contain

1. the version(s) it was merged to
2. a link to the git commit(s)
3. a link to the PHP manual entry for the feature

• https://wiki.php.net/rfc/precise_session_management

Keep this updated with features that were discussed on the mail lists.