Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94572
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 17668 invoked from network); 18 Jul 2016 22:54:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jul 2016 22:54:05 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:51667] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C2/9A-52781-A0E5D875 for <internals@lists.php.net>; Mon, 18 Jul 2016 18:54:05 -0400
Received: (qmail 64079 invoked by uid 89); 18 Jul 2016 22:53:59 -0000
Received: from unknown (HELO mail-qt0-f171.google.com) (yohgaki@ohgaki.net@209.85.216.171)
  by 0 with ESMTPA; 18 Jul 2016 22:53:59 -0000
Received: by mail-qt0-f171.google.com with SMTP id 52so636880qtq.3
        for <internals@lists.php.net>; Mon, 18 Jul 2016 15:53:57 -0700 (PDT)
X-Gm-Message-State: ALyK8tJWdM3TyEQ6hrWvvMyHeVnm8bQ1VfZi3q+lbrHeAAEezJx4HpGDkeR3iHCT22nLpiYPT4VW7WxsxK2MGg==
X-Received: by 10.237.35.76 with SMTP id i12mr18068722qtc.41.1468882432165;
 Mon, 18 Jul 2016 15:53:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Mon, 18 Jul 2016 15:53:12 -0700 (PDT)
In-Reply-To: <0f6e21d1-8e0f-aed8-a644-5f7a5aa8dc5e@gmail.com>
References: <CAGa2bXbZgGe3aq--SZ3D3AC1bYX7mTctDC-6CUy--X+UZ9XEiQ@mail.gmail.com>
 <CAGa2bXaSL9N4C5dr_aT9yt1gfb-Aqb7btfmcbW=v4wZ3cC=ABw@mail.gmail.com>
 <CAGa2bXasdbiVTM_kZkz3s1zswk6sHSzcU130cUuHtVVCTrA92A@mail.gmail.com> <0f6e21d1-8e0f-aed8-a644-5f7a5aa8dc5e@gmail.com>
Date: Tue, 19 Jul 2016 07:53:12 +0900
X-Gmail-Original-Message-ID: <CAGa2bXZfbSvk0zHDQ0RPOnx5PQR8jFBUpa+=cnnycG-FFpx3Kg@mail.gmail.com>
Message-ID: <CAGa2bXZfbSvk0zHDQ0RPOnx5PQR8jFBUpa+=cnnycG-FFpx3Kg@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Enable session.use_strict_mode by default
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Stas,

On Tue, Jul 19, 2016 at 7:24 AM, Stanislav Malyshev <smalyshev@gmail.com> wrote:
>> The vote will end in 2 hours and 2 more in favor is required to pass  at least.
>>
>> I don't know the reason why some of us against this RFC, but vote is
>> the vote. My guess is you prefer more precise timestamp based session
>> managed which has declined.
>
> The number of votes (7) suggests most people either don't care or don't
> understand the issue enough to vote.
>
> Note that default is not necessary to run a secure setup, strictly
> speaking - you can always recommend using non-default setting. It'd be
> useful to hear from people voting "no" of course.

I agree. We should recommend safer usage. In case if this is not passed,
I'll improve the manual.

BTW, I wrote some example URLs. http://example.com/ is also vulunerable.
Attackers can use httponly and secure attributes. I'm stunned by a browser
prefers non-httponly cookie over httponly cookie years ago. In general,
http://example.com/ is the safest URL, but not secure.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net