Hi!
I've created this issue in January 2022 but it seems it wasn't noticed yet (since you probably do watch the mailing lists more than GitHub):
https://github.com/php/php-src/issues/7913
Kind Regards,
etkaar
Le 13 sept. 2024 à 16:13, etkaar etkaar@akayo.eu a écrit :
Hi!
I've created this issue in January 2022 but it seems it wasn't noticed yet (since you probably do watch the mailing lists more than GitHub):
https://github.com/php/php-src/issues/7913Kind Regards,
etkaar
Hi,
-
Defaulting
session.cookie_httponly
totrue
seems very reasonable. -
Beware that if you set
session.cookie_secure
totrue
, you will break websites that are not served across https. Moreover, the reason of the breakage may not be evident. -
You forgot another obvious setting:
session.cookie_samesite
must be "Lax" by default. -
We should also consider setting
session.use_strict_mode
totrue
, in order to mitigate session fixation attacks.
—Claude
Le 13 sept. 2024 à 16:13, etkaar etkaar@akayo.eu a écrit :
Hi!
I've created this issue in January 2022 but it seems it wasn't noticed yet (since you probably do watch the mailing lists more than GitHub):https://github.com/php/php-src/issues/7913
Kind Regards,
etkaarHi,
Defaulting
session.cookie_httponly
totrue
seems very reasonable.Beware that if you set
session.cookie_secure
totrue
, you will
break websites that are not served across https. Moreover, the reason of
the breakage may not be evident.You forgot another obvious setting:
session.cookie_samesite
must be
"Lax" by default.We should also consider setting
session.use_strict_mode
totrue
, in
order to mitigate session fixation attacks.—Claude
Hi,
Maybe, session.cookie_secure
could use an additional value like 'auto'
which would enable it for https and disable for http. Symfony does it too
https://symfony.com/doc/current/reference/configuration/framework.html#cookie-secure
Kind regards,
Faizan