Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94570
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 13569 invoked from network); 18 Jul 2016 22:08:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jul 2016 22:08:23 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:51586] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 44/D9-52781-D435D875 for <internals@lists.php.net>; Mon, 18 Jul 2016 18:08:19 -0400
Received: (qmail 61935 invoked by uid 89); 18 Jul 2016 22:08:10 -0000
Received: from unknown (HELO mail-qk0-f175.google.com) (yohgaki@ohgaki.net@209.85.220.175)
  by 0 with ESMTPA; 18 Jul 2016 22:08:10 -0000
Received: by mail-qk0-f175.google.com with SMTP id x1so274757qkb.3
        for <internals@lists.php.net>; Mon, 18 Jul 2016 15:08:09 -0700 (PDT)
X-Gm-Message-State: ALyK8tKrbtZsWn3NluhZJbulsII2E1rKYqbk7z0vznagoDCqZJmm86eECxuTrB0IRPfl19xUffvcR40BXvSTeA==
X-Received: by 10.55.146.2 with SMTP id u2mr2326900qkd.20.1468879683316; Mon,
 18 Jul 2016 15:08:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Mon, 18 Jul 2016 15:07:23 -0700 (PDT)
In-Reply-To: <CAGa2bXaSL9N4C5dr_aT9yt1gfb-Aqb7btfmcbW=v4wZ3cC=ABw@mail.gmail.com>
References: <CAGa2bXbZgGe3aq--SZ3D3AC1bYX7mTctDC-6CUy--X+UZ9XEiQ@mail.gmail.com>
 <CAGa2bXaSL9N4C5dr_aT9yt1gfb-Aqb7btfmcbW=v4wZ3cC=ABw@mail.gmail.com>
Date: Tue, 19 Jul 2016 07:07:23 +0900
X-Gmail-Original-Message-ID: <CAGa2bXasdbiVTM_kZkz3s1zswk6sHSzcU130cUuHtVVCTrA92A@mail.gmail.com>
Message-ID: <CAGa2bXasdbiVTM_kZkz3s1zswk6sHSzcU130cUuHtVVCTrA92A@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [RFC][VOTE] Enable session.use_strict_mode by default
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

Reminding the end of the vote.

On Fri, Jul 15, 2016 at 7:06 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> On Tue, Jul 12, 2016 at 10:01 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>> Vote for "Enable session.use_strict_mode by default" RFC has started.
>>
>> https://wiki.php.net/rfc/session-use-strict-mode
>>
>> Vote ends 2017/07/19 UTC.
>
> Some of us against this RFC.
> The consequences of disabling use_strice_mode
> (allowing uninitialized session ID by session module) are severe.
>
> I would like to know the reason why.
>
> Thank you!
>
> P.S. This RFC requires 2/3 in favor to pass.

The vote will end in 2 hours and 2 more in favor is required to pass  at least.

I don't know the reason why some of us against this RFC, but vote is
the vote. My guess is you prefer more precise timestamp based session
managed which has declined.

Regards,

P.S. Waiting the reason why against this RFC regardless of the vote result.
Sites that have URL style such as  http://www.example.com/ or
http://example.com/app/ could be compromised very easily without
session ID validation. Attacker can exploit them by unchangeable
cookies via a single JavaScript injection.  i.e.
session_regenerate_id(true) wouldn't help to make sure users get new
ID and system may use attacker supplied session ID.

--
Yasuo Ohgaki
yohgaki@ohgaki.net