This is an old revision of the document!
PHP RFC: Enable session.use_strict_mode by default
Enable session.use_strict_mode INI setting by default.
in hard coded, php.ini-*.
Document deprecation of obsolete session save handler API that does not support session.use_strict_mode.
- Session ID existence validation. (Additional query to session data storage may be needed depending on save handler implementation.)
- New session ID regeneration when nonexistent session ID is passed.
Backward Incompatible Changes
session.use_strict_mode=1 can result in lost sessions without changes like
However, lost sessions are far better than stolen sessions.
When attackers set unchangeable session ID cookie for a user, the user will not be able to get valid session ID. i.e. Cannot login, etc.
3rf party session save handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. 3rf party session save handlers must use PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP. PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.
Proposed PHP Version(s)
To Existing Extensions
session.use_strict_mode=1 for all
- hardcoded default values
- php.ini-development values
- php.ini-production values
Unaffected PHP Functionality
3rd party and user defined session save handlers implementation is not affected.
3rf party session handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP must be used. PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.
- Session ID should be managed by TTL timestamp in order to manage session ID correctly and precisely.
- Remove session.use_strict_mode setting and enable it always.
- Remove session_regenerate_id()'s immediate session ID data removal option. i.e. Manage session data lifetime by TTL.
- Remove additional session data storage access by extending session save handler API.
Proposed Voting Choices
This project requires a 2/3
Patches and Tests
Not provided as this change is trivial INI default change. Tests scripts are modified to work regardless of session.use_strict_mode=0/1 already.
After the project is implemented, this section should contain
- the version(s) it was merged to
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
Keep this updated with features that were discussed on the mail lists.