|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #66947 Session fixation with use_strict_mode on custom save handlers
Submitted: 2014-03-24 15:52 UTC Modified: 2015-05-24 06:19 UTC
Avg. Score:3.7 ± 0.9
Reproduced:0 of 0 (0.0%)
From: ondrej dot machulda at gmail dot com Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 5.5.10 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
27 + 9 = ?
Subscribe to this entry?

 [2014-03-24 15:52 UTC] ondrej dot machulda at gmail dot com
PHP 5.5.2 introduced session.use_strict_mode settings, which, if enabled, rejects uninitialized session IDs provided by the client and regenerate the SID with a new one. This protect user from one kind of session fixation attack, see CVE-2011-4718

The manual states:
session.use_strict_mode specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode. Defaults to 0 (disabled). 

However, the strict mode is only implemented in mod_files (, thus using any custom session save handler (for eg. memcache, redis, database...) will keep you with this vulnerability exploitable.

I see two problems there: 
1) The configuration option may confuse you to think you are protected (no matter the session save handler you use), what is apparently not true.
2) IMHO the strict mode could be done handler-agnostic, for example modifying SessionHandlerInterface to require validate() method or something.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-24 18:34 UTC]
-Type: Security +Type: Feature/Change Request
 [2014-03-24 18:34 UTC]
I would think this is for save handler authors to implement necessary code to support user_strict_mode. If you have an idea how to improve the functionality, you're welcome to submit pull/RFC, however I do not think that if some custom handler does not implement this capability this implies a security bug in PHP.
 [2014-03-24 22:10 UTC] ondrej dot machulda at gmail dot com
To be accurate, I missed the mm handler, which also includes the strict mode check. But not the user handler.

So the point is still there - you could enable the setting and assume you are protected (because it is written in the manual). But if you use a custom session save handler, you are in fact not at all. And this is not really obvious - session *save* handler should be by definition just an adapter containing logic for saving and reading session, but care about spoofing SID should by IMO implemented more low-level.

I'll try to send PR to update the manual at least. But for me, this is still a bug, not expected behavior.
 [2014-03-24 22:33 UTC] ondrej dot machulda at gmail dot com
Related documentation bug:
 [2014-07-06 01:58 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: yohgaki
 [2014-07-06 01:58 UTC]
As Stas mentioned, users must implement their own strict session. Since there is no validate_id() API in user land.

My new patch addresses this issue, but it's not merged yet.
 [2015-05-24 06:19 UTC]
-Status: Assigned +Status: Closed
 [2015-05-24 06:19 UTC]
PS_VALIDATE_SID() is implemented in 7.0.
Save handler authors must support PS_VALIDATE_SID() to enable strict mode.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Jan 27 06:05:52 2023 UTC