Enabling same-site cookies by default is a little risky now, because
current browsers don't always set them properly.
https://bugs.chromium.org/p/chromium/issues/detail?id=961617
On Sun, Jun 7, 2020 at 6:42 PM Claude Pache wrote:
>
>
> > Le 7 juin 2020 à 22:15, AllenJB a écrit :
> >
> > Are t
> Le 7 juin 2020 à 22:15, AllenJB a écrit :
>
> Are there any other session (security) related settings that should be
> tightened by default? (cookie_samesite?)
Yes, of course:
* session.cookie_httponly should be "1" by default.
* session.cookie_samesite should be "Lax" by default.
* Ideal
Hi all,
While writing an answer to someone regarding session security, I noticed
that session.use_strict_mode is disabled by default, despite it being
"mandatory for session security" (according to the description in the
manual -
https://www.php.net/manual/en/session.configuration.php#ini.ses
