On Mon, Jul 18, 2016 at 9:40 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi all, > > On Tue, Jul 12, 2016 at 10:01 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > Vote for "Enable session.use_strict_mode by default" RFC has started. > > > > https://wiki.php.net/rfc/session-use-strict-mode > > > > Vote ends 2017/07/19 UTC. > > > > Thank you for voting! > > Vote is finish 4 vs 4. The RFC is declined. > I'll improve the manual so that attackers would not enjoy stealing PHP > web app accounts. > > Besides documentation, we must improve the way it is now. i.e. Do not > let attackers steal accounts easily with default configuration. > > To decide next move, I would like to start hearing the reason why from > those who are against this RFC. > I abstained from voting. While I would be a "Yes" in principle, two specific statements in the RFC made me wary of following that instinct: 1. "external session data storage may have noticeable impact" 2. "lost sessions are far better than stolen sessions" I can hand waive the first one away, as performance can be optimized usually. But I can't really agree that, in general, lost sessions are "far better" than stolen ones: if lost sessions happen 1% of the time, and stolen sessions happen .001% of the time, then to me lost sessions are worse.
