Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:110424
Return-Path: <ekohler@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64695 invoked from network); 8 Jun 2020 15:53:24 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 8 Jun 2020 15:53:24 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id DBCB8180088
	for <internals@lists.php.net>; Mon,  8 Jun 2020 07:36:51 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <ekohler@gmail.com>
Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon,  8 Jun 2020 07:36:51 -0700 (PDT)
Received: by mail-wr1-f49.google.com with SMTP id h5so17672499wrc.7
        for <internals@lists.php.net>; Mon, 08 Jun 2020 07:36:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=oI3ibspvkfHJXDlUxknMdPR3xNTSgPi4VzNvT5hjoQU=;
        b=lqpJ2f9PzTZYrX97aNBlr6HuOFLBxc6aOaEg2m0EZoQg864DI1JhmNfYVxCR8PpbB5
         3Zf+q9kCXd+0RfGIANniZuIy2frn/bhyPtAoRAbaBXgbL/mBvoR45gZBlGXrZdFR/Y9V
         cTUzjBlhaOIndCUyA9x1LgIdWTygYPeQYxPcy1vkmg2f45nGHiQZax/KPWsjXBKysozD
         tkIj/pEmLFwIYOj5Fp5uHOywDn129J+0kvd+3HHHhblIFW20ElhxWOHl2EjF4Ywoygsr
         sV5zQlaUg/7V3LUszeGLJNFnx40FOdY3iYg2y07uUlHAtcIlJ+l/mh5+nb7KojjjYmuR
         Kixg==
X-Gm-Message-State: AOAM531fHGaYVv0CZrJ8Z80gwkkJZGQBls6HCuEKk/4cAaMpvLjI45Wf
	baeneuIgc2HXl98jDdglJU550+4rQsGnIWnpR98=
X-Google-Smtp-Source: ABdhPJwp6Oz6qX/qryjG8sPh38K8C+hmq4kofCFXXtjrssCj5ibPgJyPTLl6K0OPlySqwa9F7jQ973ATDjPV3U4mPoY=
X-Received: by 2002:a5d:4488:: with SMTP id j8mr23309690wrq.242.1591627010073;
 Mon, 08 Jun 2020 07:36:50 -0700 (PDT)
MIME-Version: 1.0
References: <4096e114-49ba-d553-f4a9-ce65cbda14f5@allenjb.me.uk> <CA73E127-47A1-41E5-81D5-8E170DB63239@gmail.com>
In-Reply-To: <CA73E127-47A1-41E5-81D5-8E170DB63239@gmail.com>
Date: Mon, 8 Jun 2020 10:36:39 -0400
Message-ID: <CAF0C5SLo_6j1pSixE-0ZsGAK3oCkkbx553sDGOcQMPWbDq2zbw@mail.gmail.com>
To: Claude Pache <claude.pache@gmail.com>
Cc: AllenJB <php.lists@allenjb.me.uk>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000008ce75905a7938a9b"
Subject: Re: [PHP-DEV] Session default settings (use_strict_mode)
From: kohler@seas.harvard.edu (Eddie Kohler)

--0000000000008ce75905a7938a9b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Enabling same-site cookies by default is a little risky now, because
current browsers don't always set them properly.

https://bugs.chromium.org/p/chromium/issues/detail?id=3D961617


On Sun, Jun 7, 2020 at 6:42 PM Claude Pache <claude.pache@gmail.com> wrote:

>
>
> > Le 7 juin 2020 =C3=A0 22:15, AllenJB <php.lists@allenjb.me.uk> a =C3=A9=
crit :
> >
> > Are there any other session (security) related settings that should be
> tightened by default? (cookie_samesite?)
>
>
> Yes, of course:
>
> * session.cookie_httponly should be "1" by default.
> * session.cookie_samesite should be "Lax" by default.
> * Ideally, session.cookie_secure should be enabled by default on https;
> sadly, the setting does not allow to have different values for secure and
> insecure connections.
>
> =E2=80=94Claude

--0000000000008ce75905a7938a9b--