Hi all,
While writing an answer to someone regarding session security, I noticed
that session.use_strict_mode is disabled by default, despite it being
"mandatory for session security" (according to the description in the
manual -
https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
).
I tried a search of the mailing list and found an RFC declined 4 years
ago, albeit with very few votes:
https://externals.io/message/94484
Should use_strict_mode be enabled by default?
My best guess is the previous RFC was declined due to the issues with
lost sessions enumerated in the above linked thread. Do these still
exist (have their been changes since this RFC)? Could the feature be
improved to mitigate or remove these?
If the setting default is not changed, should the manual description of
this setting be improved to describe why it's not enabled by default?
Are there any other session (security) related settings that should be
tightened by default? (cookie_samesite?)
AllenJB
Le 7 juin 2020 à 22:15, AllenJB php.lists@allenjb.me.uk a écrit :
Are there any other session (security) related settings that should be tightened by default? (cookie_samesite?)
Yes, of course:
- session.cookie_httponly should be "1" by default.
- session.cookie_samesite should be "Lax" by default.
- Ideally, session.cookie_secure should be enabled by default on https; sadly, the setting does not allow to have different values for secure and insecure connections.
—Claude
Enabling same-site cookies by default is a little risky now, because
current browsers don't always set them properly.
https://bugs.chromium.org/p/chromium/issues/detail?id=961617
Le 7 juin 2020 à 22:15, AllenJB php.lists@allenjb.me.uk a écrit :
Are there any other session (security) related settings that should be
tightened by default? (cookie_samesite?)Yes, of course:
- session.cookie_httponly should be "1" by default.
- session.cookie_samesite should be "Lax" by default.
- Ideally, session.cookie_secure should be enabled by default on https;
sadly, the setting does not allow to have different values for secure and
insecure connections.—Claude