This is an old revision of the document!

PHP RFC: Your Title Here


Due to HTTP cookie implementation, it is easy to create unchangeable/undeletable cookies via JavaScript injections. Single JavaScript injection vulnerability or cookie storage modification via physical access to the client allows attackers to steal user session forever without session.use_strict_mode=1.


Enable session.use_strict_mode INI setting by default.

  • session.use_strict_mode=1

in hard coded, php.ini-*.

Document deprecation of obsolete session save handler API that does not support session.use_strict_mode.


Backward Incompatible Changes

session.use_strict_mode=1 can result in lost sessions without changes like

However, lost sessions are far better than stolen sessions.

When attackers set unchangeable session ID cookie for a user, the user will not be able to get valid session ID. i.e. Cannot login, etc.

3rf party session save handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. 3rf party session save handlers must use PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP. PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.

Proposed PHP Version(s)

PHP 7.1.0

RFC Impact



To Existing Extensions


To Opcache


New Constants


php.ini Defaults

session.use_strict_mode=1 for all

  • hardcoded default values
  • php.ini-development values
  • php.ini-production values

Open Issues

Unaffected PHP Functionality

3rd party and user defined session save handlers implementation is not affected.

3rf party session handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP must be used. PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.

Future Scope

  • Session ID should be managed by TTL timestamp precisely in order to session ID is managed correctly.
  • Remove session.use_strict_mode setting and enable it always.
  • Remove session_regenerate_id()'s immediate session ID data removal option. i.e. Manage session data lifetime by TTL.

Proposed Voting Choices

This project requires a 2/3

Patches and Tests

Not provided as this change is trivial INI default change. Tests scripts are modified to work regardless of session.use_strict_mode=0/1 already.


After the project is implemented, this section should contain

  1. the version(s) it was merged to
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature


Rejected Features

Keep this updated with features that were discussed on the mail lists.

rfc/session-use-strict-mode.1467690236.txt.gz · Last modified: 2017/09/22 13:28 (external edit)