Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94574 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26536 invoked from network); 19 Jul 2016 01:41:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jul 2016 01:41:09 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:51896] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 32/DB-52781-1358D875 for ; Mon, 18 Jul 2016 21:41:08 -0400 Received: (qmail 71647 invoked by uid 89); 19 Jul 2016 01:41:02 -0000 Received: from unknown (HELO mail-qk0-f176.google.com) (yohgaki@ohgaki.net@209.85.220.176) by 0 with ESMTPA; 19 Jul 2016 01:41:02 -0000 Received: by mail-qk0-f176.google.com with SMTP id s63so3675567qkb.2 for ; Mon, 18 Jul 2016 18:41:01 -0700 (PDT) X-Gm-Message-State: ALyK8tJUb7hM89O+JtdDxudwzugnlytVm7dvMkh3aHSH5BDyfhMxFwM5FVbGCgb1f/1YRt1++FbTT758o7NaXw== X-Received: by 10.55.44.134 with SMTP id s128mr14497626qkh.198.1468892456098; Mon, 18 Jul 2016 18:40:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.85.242 with HTTP; Mon, 18 Jul 2016 18:40:16 -0700 (PDT) In-Reply-To: References: Date: Tue, 19 Jul 2016 10:40:16 +0900 X-Gmail-Original-Message-ID: Message-ID: To: "internals@lists.php.net" , Derick Rethans , kguest@php.net, kinncj@php.net, zimt@php.net Content-Type: text/plain; charset=UTF-8 Subject: Re: [RFC][VOTE] Enable session.use_strict_mode by default From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi all, On Tue, Jul 12, 2016 at 10:01 AM, Yasuo Ohgaki wrote: > Vote for "Enable session.use_strict_mode by default" RFC has started. > > https://wiki.php.net/rfc/session-use-strict-mode > > Vote ends 2017/07/19 UTC. > Thank you for voting! Vote is finish 4 vs 4. The RFC is declined. I'll improve the manual so that attackers would not enjoy stealing PHP web app accounts. Besides documentation, we must improve the way it is now. i.e. Do not let attackers steal accounts easily with default configuration. To decide next move, I would like to start hearing the reason why from those who are against this RFC. Regards, BTW, we cannot blame browser developers because cookie spec is broken in first place. -- Yasuo Ohgaki yohgaki@ohgaki.net