Hi all,
While writing an answer to someone regarding session security, I noticed
that session.use_strict_mode is disabled by default, despite it being
"mandatory for session security" (according to the description in the
manual -
https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
).
I tried a search of the mailing list and found an RFC declined 4 years
ago, albeit with very few votes:
https://externals.io/message/94484
Should use_strict_mode be enabled by default?
My best guess is the previous RFC was declined due to the issues with
lost sessions enumerated in the above linked thread. Do these still
exist (have their been changes since this RFC)? Could the feature be
improved to mitigate or remove these?
If the setting default is not changed, should the manual description of
this setting be improved to describe why it's not enabled by default?
Are there any other session (security) related settings that should be
tightened by default? (cookie_samesite?)
AllenJB
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
