php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #66951 Add note that session.use_strict_mode relates only to built-in handlers
Submitted: 2014-03-24 22:31 UTC Modified: 2016-08-27 05:25 UTC
Votes:4
Avg. Score:3.5 ± 1.7
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: ondrej dot machulda at gmail dot com Assigned:
Status: Not a bug Package: Documentation problem
PHP Version: 5.5.10 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ondrej dot machulda at gmail dot com
New email:
PHP Version: OS:

 

 [2014-03-24 22:31 UTC] ondrej dot machulda at gmail dot com 
Description:
------------
The session.use_strict_mode runtime configuration option (PHP 5.5.2+) is now described in the manual like this:

session.use_strict_mode boolean
session.use_strict_mode specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode. Defaults to 0 (disabled). 

However, this is not accurate. As noted in https://bugs.php.net/bug.php?id=66947, current behavior is related *only* to built-in session save handlers - file and mm. Once you use custom save handler, the setting is meaningless. 

As this is security setting related to CVE-2011-4718, this behavior should be documented. I propose something like this:
Note: session.use_strict_mode applies only to PHP's built-in session save handlers. If you use custom save handler, you must implement the strict mode yourselves.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-27 05:25 UTC] yohgaki@php.net
-Status: Open +Status: Not a bug
 [2016-08-27 05:25 UTC] yohgaki@php.net 
No. User handlers must define session ID validation handler for session ID security. This is mandatory in fact and all users should define the handler.

Documentation should be improved, but the bug report is not valid.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 22:01:28 2024 UTC