Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:110411
Return-Path: <php.lists@allenjb.me.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 10788 invoked from network); 7 Jun 2020 21:32:38 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 7 Jun 2020 21:32:38 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5D6201804B7
	for <internals@lists.php.net>; Sun,  7 Jun 2020 13:15:53 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS8943 85.119.80.0/21
X-Spam-Virus: No
X-Envelope-From: <php.lists@allenjb.me.uk>
Received: from mail.apserver.co.uk (server2.alteredperspective.co.uk [85.119.82.103])
	by php-smtp4.php.net (Postfix) with ESMTP
	for <internals@lists.php.net>; Sun,  7 Jun 2020 13:15:52 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by mail.apserver.co.uk (Postfix) with ESMTP id 6E01C4F4064
	for <internals@lists.php.net>; Sun,  7 Jun 2020 21:14:25 +0100 (BST)
Received: from mail.apserver.co.uk ([127.0.0.1])
	by localhost (server2.alteredperspective.co.uk [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id WQcpgPZY6uB3 for <internals@lists.php.net>;
	Sun,  7 Jun 2020 21:14:23 +0100 (BST)
Received: from [192.168.0.8] (cpc113420-maid7-2-0-cust1808.20-1.cable.virginm.net [86.18.119.17])
	by mail.apserver.co.uk (Postfix) with ESMTPA id 74FCB4F4061
	for <internals@lists.php.net>; Sun,  7 Jun 2020 21:14:23 +0100 (BST)
To: PHP internals <internals@lists.php.net>
Message-ID: <4096e114-49ba-d553-f4a9-ce65cbda14f5@allenjb.me.uk>
Date: Sun, 7 Jun 2020 21:15:48 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.9.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Subject: Session default settings (use_strict_mode)
From: php.lists@allenjb.me.uk (AllenJB)

Hi all,

While writing an answer to someone regarding session security, I noticed 
that session.use_strict_mode is disabled by default, despite it being 
"mandatory for session security" (according to the description in the 
manual - 
https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode 
).

I tried a search of the mailing list and found an RFC declined 4 years 
ago, albeit with very few votes:
https://externals.io/message/94484

Should use_strict_mode be enabled by default?

My best guess is the previous RFC was declined due to the issues with 
lost sessions enumerated in the above linked thread. Do these still 
exist (have their been changes since this RFC)? Could the feature be 
improved to mitigate or remove these?

If the setting default is not changed, should the manual description of 
this setting be improved to describe why it's not enabled by default?

Are there any other session (security) related settings that should be 
tightened by default? (cookie_samesite?)


AllenJB