Hi all, Reminding the end of the vote.
On Fri, Jul 15, 2016 at 7:06 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > On Tue, Jul 12, 2016 at 10:01 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >> Vote for "Enable session.use_strict_mode by default" RFC has started. >> >> https://wiki.php.net/rfc/session-use-strict-mode >> >> Vote ends 2017/07/19 UTC. > > Some of us against this RFC. > The consequences of disabling use_strice_mode > (allowing uninitialized session ID by session module) are severe. > > I would like to know the reason why. > > Thank you! > > P.S. This RFC requires 2/3 in favor to pass. The vote will end in 2 hours and 2 more in favor is required to pass at least. I don't know the reason why some of us against this RFC, but vote is the vote. My guess is you prefer more precise timestamp based session managed which has declined. Regards, P.S. Waiting the reason why against this RFC regardless of the vote result. Sites that have URL style such as http://www.example.com/ or http://example.com/app/ could be compromised very easily without session ID validation. Attacker can exploit them by unchangeable cookies via a single JavaScript injection. i.e. session_regenerate_id(true) wouldn't help to make sure users get new ID and system may use attacker supplied session ID. -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
