Hi!
I've created this issue in January 2022 but it seems it wasn't noticed yet (since you probably do watch the mailing lists more than GitHub):
https://github.com/php/php-src/issues/7913
Kind Regards,
etkaar
Le 13 sept. 2024 à 16:13, etkaar etkaar@akayo.eu a écrit :
Hi!
I've created this issue in January 2022 but it seems it wasn't noticed yet (since you probably do watch the mailing lists more than GitHub):
https://github.com/php/php-src/issues/7913Kind Regards,
etkaar
Hi,
-
Defaulting
session.cookie_httponlytotrueseems very reasonable. -
Beware that if you set
session.cookie_securetotrue, you will break websites that are not served across https. Moreover, the reason of the breakage may not be evident. -
You forgot another obvious setting:
session.cookie_samesitemust be "Lax" by default. -
We should also consider setting
session.use_strict_modetotrue, in order to mitigate session fixation attacks.
—Claude
Le 13 sept. 2024 à 16:13, etkaar etkaar@akayo.eu a écrit :
Hi!
I've created this issue in January 2022 but it seems it wasn't noticed yet (since you probably do watch the mailing lists more than GitHub):https://github.com/php/php-src/issues/7913
Kind Regards,
etkaarHi,
Defaulting
session.cookie_httponlytotrueseems very reasonable.Beware that if you set
session.cookie_securetotrue, you will
break websites that are not served across https. Moreover, the reason of
the breakage may not be evident.You forgot another obvious setting:
session.cookie_samesitemust be
"Lax" by default.We should also consider setting
session.use_strict_modetotrue, in
order to mitigate session fixation attacks.—Claude
Hi,
Maybe, session.cookie_secure could use an additional value like 'auto'
which would enable it for https and disable for http. Symfony does it too
https://symfony.com/doc/current/reference/configuration/framework.html#cookie-secure
Kind regards,
Faizan