rfc:session-use-strict-mode
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:session-use-strict-mode [2016/07/06 21:57] – Add note for security impact yohgaki | rfc:session-use-strict-mode [2020/08/01 23:51] (current) – Status is "Declined" carusogabriel | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== PHP RFC: Enable session.use_strict_mode by default ====== | ====== PHP RFC: Enable session.use_strict_mode by default ====== | ||
- | * Version: | + | * Version: |
* Date: 2016-07-05 | * Date: 2016-07-05 | ||
* Author: Yasuo Ohgaki < | * Author: Yasuo Ohgaki < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
Line 9: | Line 9: | ||
Due to HTTP cookie implementation, | Due to HTTP cookie implementation, | ||
- | NOTE: When multiple cookies are valid for a request, browser sends a highest precedence cookie. Cookie sent by browsers differs browser by browser because there is no cookie precedence standard. Attacker can exploit this browser behavior to set unchangeable cookies by using httponly, secure, domain and path cookie attributes. Security impact differs according to web site setup and used browser. | + | NOTE: When multiple cookies are valid for a request, browser sends a highest precedence cookie. Cookie sent by browsers differs browser by browser because there is no cookie precedence standard. Attacker can exploit this browser behavior to set unchangeable cookies by using httponly, secure, domain and path cookie attributes. Security impact differs according to web site setup, used browser |
===== Proposal ===== | ===== Proposal ===== | ||
Line 39: | Line 39: | ||
However, lost sessions are far better than stolen sessions. | However, lost sessions are far better than stolen sessions. | ||
- | When attackers set unchangeable session ID cookie for a user, the user will not be able to get valid session ID. i.e. Cannot login, etc. | + | When attackers set unchangeable session ID cookie for a user, the user will not be able to get valid session ID. i.e. Cannot login via attacker supplied unchangeable session ID, etc. |
- | 3rf party session save handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. 3rf party session save handlers must use PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP. **PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.** | + | 3rd party session save handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. 3rd party session save handlers must use PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP. **PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.** |
Line 85: | Line 85: | ||
* Remove additional session data storage access by extending session save handler API. | * Remove additional session data storage access by extending session save handler API. | ||
- | ===== Proposed Voting Choices | + | ===== Vote ===== |
- | This project requires | + | This project requires 2/3 majority |
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | Vote starts 2016/7/12, ends 2016/07/19 23:59:59 UTC. | ||
===== Patches and Tests ===== | ===== Patches and Tests ===== |
rfc/session-use-strict-mode.1467842223.txt.gz · Last modified: 2017/09/22 13:28 (external edit)