Hi Stas, On Tue, Jul 19, 2016 at 7:24 AM, Stanislav Malyshev <smalys...@gmail.com> wrote: >> The vote will end in 2 hours and 2 more in favor is required to pass at >> least. >> >> I don't know the reason why some of us against this RFC, but vote is >> the vote. My guess is you prefer more precise timestamp based session >> managed which has declined. > > The number of votes (7) suggests most people either don't care or don't > understand the issue enough to vote. > > Note that default is not necessary to run a secure setup, strictly > speaking - you can always recommend using non-default setting. It'd be > useful to hear from people voting "no" of course.
I agree. We should recommend safer usage. In case if this is not passed, I'll improve the manual. BTW, I wrote some example URLs. http://example.com/ is also vulunerable. Attackers can use httponly and secure attributes. I'm stunned by a browser prefers non-httponly cookie over httponly cookie years ago. In general, http://example.com/ is the safest URL, but not secure. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
