php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #66951 Add note that session.use_strict_mode relates only to built-in handlers
Submitted: 2014-03-24 22:31 UTC Modified: 2016-08-27 05:25 UTC
Votes:4
Avg. Score:3.5 ± 1.7
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: ondrej dot machulda at gmail dot com Assigned:
Status: Not a bug Package: Documentation problem
PHP Version: 5.5.10 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ondrej dot machulda at gmail dot com
New email:
PHP Version: OS:

 

 [2014-03-24 22:31 UTC] ondrej dot machulda at gmail dot com
Description:
------------
The session.use_strict_mode runtime configuration option (PHP 5.5.2+) is now described in the manual like this:

session.use_strict_mode boolean
session.use_strict_mode specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode. Defaults to 0 (disabled). 

However, this is not accurate. As noted in https://bugs.php.net/bug.php?id=66947, current behavior is related *only* to built-in session save handlers - file and mm. Once you use custom save handler, the setting is meaningless. 

As this is security setting related to CVE-2011-4718, this behavior should be documented. I propose something like this:
Note: session.use_strict_mode applies only to PHP's built-in session save handlers. If you use custom save handler, you must implement the strict mode yourselves.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-27 05:25 UTC] yohgaki@php.net
-Status: Open +Status: Not a bug
 [2016-08-27 05:25 UTC] yohgaki@php.net
No. User handlers must define session ID validation handler for session ID security. This is mandatory in fact and all users should define the handler.

Documentation should be improved, but the bug report is not valid.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Oct 30 16:01:23 2020 UTC