Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:110413
Return-Path: <claude.pache@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39130 invoked from network); 7 Jun 2020 23:59:20 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 7 Jun 2020 23:59:20 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id D70BF1804C7
	for <internals@lists.php.net>; Sun,  7 Jun 2020 15:42:35 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <claude.pache@gmail.com>
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun,  7 Jun 2020 15:42:32 -0700 (PDT)
Received: by mail-wr1-f48.google.com with SMTP id c3so15403915wru.12
        for <internals@lists.php.net>; Sun, 07 Jun 2020 15:42:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:message-id:mime-version:subject:date:in-reply-to:cc:to
         :references;
        bh=dVvuU4T89lF91Cy7Yzo2+K6s4tm5TtdnEyf3rTHdaKA=;
        b=rTnvw6rkhSO4VZ5HEYXbdkZwUByLRLxrIyUHjLma2boOIxCCssHhXnE9my2QMjpT9x
         sehAmSm6tDoAsXGR3jXqqqKWc+on+u2/q9Gz6AUkyUteDdd2hUTqPrGiNVV/PIwxxMu/
         N75y6o7V+av84kDfhYXkZNeDEtpcrOUskeBDu7sT+cvhg1wT5cIF6pt6E40Zw2AENjrY
         CpG3R9uxYchLx3eexQc3TEwqD5nmAoKd941d5mYF2Z34Fy51fNnAsU9Qe/ltVFTRks3v
         nm9RtSsgHO6yKYGDf8eeH5iGPmyIwvP+GsXArlMhrT0FJtb7kmspv1F/qaFa97GmgCoE
         86yQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:message-id:mime-version:subject:date
         :in-reply-to:cc:to:references;
        bh=dVvuU4T89lF91Cy7Yzo2+K6s4tm5TtdnEyf3rTHdaKA=;
        b=ovKfjEQyHcL6JG+uMUo7fplAqSC0lTDm7ecUvWGKmQertpLodVDZPa/U3N/qxBzTOl
         0gCmTwVZK+a/aTYwwagTBhOB71s2YjAVm8uynjdQJKjZ9q896e6evrrpXgClB6LhRBDS
         j7nKSFNUxcK+1l/nZEFPki7nVcR4k24tI9mAvWQZ5uLlkot6lklewVghmCX3JNSdpHMg
         09XkpoLXdwn6EXylceFHMV47r7vgNaVYbWQsZYnt8WV+AXuisB+ESqLvPga+dxjucM+N
         aUC00BXMTXdfjaav6dOJ75Ej76uyM73Gi+2SiNsDYBEeNT1pPhCuNFIkTKo7jiTxgC0o
         KGjQ==
X-Gm-Message-State: AOAM531CgneIq8fn3kM8yFuw0lIkSdon1nblAwXzTErHr7P8ZtBRTfIb
	ddOcyHRzku/l1FrzBbZFL1zt7WUR+uI=
X-Google-Smtp-Source: ABdhPJzqZwkqZuZoL0wWYP7aKGKZpIGreWj7eSttLP3PKLQdZZKd6cfSvqLGr8X8JP06iLrokhWFgQ==
X-Received: by 2002:adf:ecce:: with SMTP id s14mr20903749wro.154.1591569747995;
        Sun, 07 Jun 2020 15:42:27 -0700 (PDT)
Received: from [172.20.10.3] (63.228.197.178.dynamic.wless.zhbmb00p-cgnat.res.cust.swisscom.ch. [178.197.228.63])
        by smtp.gmail.com with ESMTPSA id q4sm20691619wma.47.2020.06.07.15.42.26
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 07 Jun 2020 15:42:27 -0700 (PDT)
Message-ID: <CA73E127-47A1-41E5-81D5-8E170DB63239@gmail.com>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_A532224E-BB3C-45EC-9D0F-1D75D0C49FD6"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 8 Jun 2020 00:42:24 +0200
In-Reply-To: <4096e114-49ba-d553-f4a9-ce65cbda14f5@allenjb.me.uk>
Cc: PHP internals <internals@lists.php.net>
To: AllenJB <php.lists@allenjb.me.uk>
References: <4096e114-49ba-d553-f4a9-ce65cbda14f5@allenjb.me.uk>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Subject: Re: [PHP-DEV] Session default settings (use_strict_mode)
From: claude.pache@gmail.com (Claude Pache)

--Apple-Mail=_A532224E-BB3C-45EC-9D0F-1D75D0C49FD6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8



> Le 7 juin 2020 =C3=A0 22:15, AllenJB <php.lists@allenjb.me.uk> a =
=C3=A9crit :
>=20
> Are there any other session (security) related settings that should be =
tightened by default? (cookie_samesite?)


Yes, of course:

* session.cookie_httponly should be "1" by default.
* session.cookie_samesite should be "Lax" by default.
* Ideally, session.cookie_secure should be enabled by default on https; =
sadly, the setting does not allow to have different values for secure =
and insecure connections.

=E2=80=94Claude=

--Apple-Mail=_A532224E-BB3C-45EC-9D0F-1D75D0C49FD6--