Differences

This shows you the differences between two versions of the page.

--- rfc:strict_sessions [2014/02/18 23:38] – Add implementation yohgaki
+++ rfc:strict_sessions [2017/09/22 13:28] (current) – external edit 127.0.0.1
@@ Line 27: / Line 27: @@
 This patch adds
   * validate_sid() to ps_modules (Save handlers)
-  * use_strict_session to php.ini (On by default, off for old behavior)
+  * session.use_strict_mode to php.ini (On by default, off for old behavior)
   * display that save handler supports strict session or not via phpinfo() (So that user could know behavior)
   * update PHP_SESSION_API version (So that save handler authors could write portable code)
@@ Line 35: / Line 35: @@
   * save handlers that are currently working should also work with this patch, except ps modules using PS_MOD_SID and PS_MOD_FUNCS_SID macro. These ps modules should implement validate_sid(). Modules that are using PS_MOD/PS_FUNCS are not affected, they just marked as "adaptive" module. (e.g. pecl sqlite's ps module. You can see it via phpinfo()) NOTE: PS_MOD_SID() and PS_MOD_FUNCS_SID() are already defined, but it was the same as PS_MOD()/PS_MOD_FUNCS(). If old ps_module that uses PS_MOD_SID()/PS_MOD_FUNCS_SID() does not compile, implement validate_id().
-  * session ID string is checked so that chars are alphanumeric + ',','-' when use_strict_session=On. (mod_file.c checks session ID this way w/o this patch to prevent
+  * session ID string is checked so that chars are alphanumeric + ',','-' when session.use_strict_mode=On. (mod_file.c checks session ID this way w/o this patch to prevent
 problems. Using restrictive session ID string is better for other ps modules. IMHO)
   * session read failure is not rescued to eliminate possible infinite loops. Bundled ps modules were not using this at least.
@@ Line 42: / Line 42: @@
 session. By looking into failing test results, you can see this patch
 is generating new session ID if it's not a already initialized
-session. I'll modify these tests (set use_strict_session=Off) and add
+session. I'll modify these tests (set session.use_strict_mode=Off) and add
 some tests for new feature (new validate_sid() function for user and
 use_class save handler) after commit.
@@ Line 149: / Line 149: @@
 order preference for sending cookies than Chrome/Firefox.
-This behavior prevents use of session_regenerat_id()'s new cookie in some cases. PHP may
+This behavior prevents use of session_regenerate_id()'s new cookie in some cases. PHP may
 use invalid session ID to initialize session. Session ID can be fixed (i.e. session fixation)
 without the validation code.
@@ Line 165: / Line 165: @@
   * First cookie(C=%2Fwww%2Fdefault%2Fpublic) is cookie set without domain and the default path '/'.
   * Second cookie(C=test.co.jp) is cookie set with domain.
-  * In this case, PHP initialize $_COOKIE['C'] == 'test.co.jp'. Session is also initializes with second cookie regardless of cookie set for path.
+  * In this case, PHP initialize $_COOKIE['C'] == 'test.co.jp'. Session is also initialized with second cookie regardless of cookie set for path.
   * Cookies are set for all combinations with different values (domain name and full path dir). (i.e. all domain and path)
-  * To make this happen, it seems order of setting cookies were significant. Set path first, then domain.
+  * To make this happen, it seems order of setting cookies was significant. Set path first, then domain.
@@ Line 181: / Line 181: @@
   Cookie: C=co.jp
-  * This is an test case for invalid domain. co.jp is ccTLD so browser should not set cookie for it. However, browser seems set cookie if it has IP.
+  * This is a test case for invalid domain. co.jp is ccTLD so browser should not set cookie for it. However, browser seems set cookie if it has IP.
   * This is very handy if someone wants to steal him/her colleague session. Just edit hosts and set long life cookie for the domain. It will remain unless cookie is expired or explicitly deleted.

Differences

Page Tools