On Fri, Sep 13, 2024 at 9:51 PM Claude Pache <claude.pa...@gmail.com> wrote:
> > Le 13 sept. 2024 à 16:13, etkaar <etk...@akayo.eu> a écrit : > > Hi! > > I've created this issue in January 2022 but it seems it wasn't noticed yet > (since you probably do watch the mailing lists more than > GitHub):https://github.com/php/php-src/issues/7913 > > Kind Regards, > etkaar > > > Hi, > > * Defaulting `session.cookie_httponly` to `true` seems very reasonable. > > * Beware that if you set `session.cookie_secure` to `true`, you will > break websites that are not served across https. Moreover, the reason of > the breakage may not be evident. > > * You forgot another obvious setting: `session.cookie_samesite` must be > "Lax" by default. > > * We should also consider setting `session.use_strict_mode` to `true`, in > order to mitigate session fixation attacks. > > —Claude > > Hi, Maybe, `session.cookie_secure` could use an additional value like `'auto'` which would enable it for https and disable for http. Symfony does it too https://symfony.com/doc/current/reference/configuration/framework.html#cookie-secure Kind regards, Faizan
