PHP RFC: Enable session.use_strict_mode by default
- Version: 1.0
- Date: 2016-07-05
- Author: Yasuo Ohgaki yohgaki@ohgaki.net
- Status: Declined
- First Published at: http://wiki.php.net/rfc/session-use-strict-mode
Introduction
Due to HTTP cookie implementation, it is easy to create unchangeable/undeletable cookies via JavaScript injections. Single JavaScript injection vulnerability or cookie storage modification via physical access to the client allows attackers to steal user session forever without session.use_strict_mode=1.
NOTE: When multiple cookies are valid for a request, browser sends a highest precedence cookie. Cookie sent by browsers differs browser by browser because there is no cookie precedence standard. Attacker can exploit this browser behavior to set unchangeable cookies by using httponly, secure, domain and path cookie attributes. Security impact differs according to web site setup, used browser and session handling code.
Proposal
Enable session.use_strict_mode INI setting by default.
- session.use_strict_mode=1
in hard coded, php.ini-*.
Document deprecation of obsolete session save handler API that does not support session.use_strict_mode.
- PS_FUNCS
Performance Impact
session.use_strict_mode=1 requires
- Session ID existence validation. (Additional query to session data storage may be needed depending on save handler implementation.)
- New session ID regeneration required when nonexistent session ID is passed.
Files save handler will not be affected much, but external session data storage may have noticeable impact.
Backward Incompatible Changes
session.use_strict_mode=1 can result in lost sessions without changes like
However, lost sessions are far better than stolen sessions.
When attackers set unchangeable session ID cookie for a user, the user will not be able to get valid session ID. i.e. Cannot login via attacker supplied unchangeable session ID, etc.
3rd party session save handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. 3rd party session save handlers must use PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP. PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.
Proposed PHP Version(s)
PHP 7.1.0
RFC Impact
To SAPIs
None
To Existing Extensions
Session
To Opcache
None
New Constants
None
php.ini Defaults
session.use_strict_mode=1 for all
- hardcoded default values
- php.ini-development values
- php.ini-production values
Open Issues
Unaffected PHP Functionality
3rd party and user defined session save handlers implementation is not affected.
3rf party session handlers must implement session ID validation handler for session.use_strict_mode=1 to work actually. i.e. PS_FUNCS_SID or PS_FUNCS_UPDATE_TIMESTAMP must be used. PS_FUNCS_UPDATE_TIMESTAMP is strongly recommended.
Future Scope
- Session ID should be managed by TTL timestamp in order to manage session ID correctly and precisely.
- Remove session.use_strict_mode setting and enable it always.
- Remove session_regenerate_id()'s immediate session ID data removal option. i.e. Manage session data lifetime by TTL.
- Remove additional session data storage access by extending session save handler API.
Vote
This project requires 2/3 majority
Vote starts 2016/7/12, ends 2016/07/19 23:59:59 UTC.
Patches and Tests
Not provided as this change is trivial INI default change. Tests scripts are modified to work regardless of session.use_strict_mode=0/1 already.
Implementation
After the project is implemented, this section should contain
- the version(s) it was merged to
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
References
Rejected Features
Keep this updated with features that were discussed on the mail lists.