Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94411
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 56832 invoked from network); 7 Jul 2016 12:32:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Jul 2016 12:32:10 -0000
Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=unknown; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 82.113.146.227 as permitted sender)
X-PHP-List-Original-Sender: derick@php.net
X-Host-Fingerprint: 82.113.146.227 xdebug.org  
Received: from [82.113.146.227] ([82.113.146.227:42170] helo=xdebug.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3B/08-18622-9CB4E775 for <internals@lists.php.net>; Thu, 07 Jul 2016 08:32:09 -0400
Received: from localhost (localhost [IPv6:::1])
	by xdebug.org (Postfix) with ESMTPS id 66C6F10C00F;
	Thu,  7 Jul 2016 13:32:06 +0100 (BST)
Date: Thu, 7 Jul 2016 13:32:06 +0100 (BST)
X-X-Sender: derick@whisky.home.derickrethans.nl
To: Leigh <leight@gmail.com>
cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, 
    "internals@lists.php.net" <internals@lists.php.net>
In-Reply-To: <CAPwsocEAvcRoH7FmKHh+eUMd=044Jm8DfwyM_Mb22W4UPvXE=w@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.1607071330540.8737@whisky.home.derickrethans.nl>
References: <CAGa2bXaSkozJLLtycujwmHyas9TofRw5s6JzG0EQQvPyU0pxNQ@mail.gmail.com> <CAPwsocEffWVhzjNHVA853J+1VfmrhstZ0inihhQVHW=VfLS6Eg@mail.gmail.com> <CAPwsocEAvcRoH7FmKHh+eUMd=044Jm8DfwyM_Mb22W4UPvXE=w@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Subject: Re: [PHP-DEV] [RFC][VOTE] Session ID without hashing
From: derick@php.net (Derick Rethans)

On Sat, 2 Jul 2016, Leigh wrote:

> Your patch updates session.use_strict_mode from 0 to 1. I actually don't
> know what this changes, but it's an undocumented change.

http://php.net/manual/en/session.configuration.php#ini.session.use-strict-mode

session.use_strict_mode specifies whether the module will use strict 
session id mode. If this mode is enabled, the module does not accept 
uninitialized session ID. If uninitialized session ID is sent from 
browser, new session ID is sent to browser. Applications are protected 
from session fixation via session adoption with strict mode. Defaults to 
0 (disabled).