Skip to content

ext/session: secure session configuration defaults (RFC)#21938

Merged
Girgias merged 4 commits into
php:masterfrom
jorgsowa:session-security-defaults-rfc
May 19, 2026
Merged

ext/session: secure session configuration defaults (RFC)#21938
Girgias merged 4 commits into
php:masterfrom
jorgsowa:session-security-defaults-rfc

Conversation

@jorgsowa
Copy link
Copy Markdown
Contributor

@jorgsowa jorgsowa commented May 3, 2026
edited
Loading

Implements the "Secure Session Configuration Defaults" RFC by changing three INI defaults to provide secure session behavior out of the box:

  • session.use_strict_mode: 0 -> 1
  • session.cookie_httponly: 0 -> 1
  • session.cookie_samesite: "" -> "Lax"

RFC: https://wiki.php.net/rfc/session_security_defaults

@jorgsowa jorgsowa force-pushed the session-security-defaults-rfc branch from f1e14f9 to 8e76687 Compare May 17, 2026 15:40
@jorgsowa jorgsowa marked this pull request as ready for review May 17, 2026 18:14
@jorgsowa jorgsowa requested a review from Girgias as a code owner May 17, 2026 18:14
Girgias
Girgias approved these changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Girgias Girgias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merge conflict but LGTM, thank you!

jorgsowa added 3 commits May 18, 2026 21:54
@jorgsowa
ext/session: secure session configuration defaults (PHP 8.6 RFC)
c4270f0 
Implements the "Secure Session Configuration Defaults" RFC by changing
three INI defaults to provide secure session behavior out of the box:

- session.use_strict_mode: 0 -> 1 (mitigates session fixation)
- session.cookie_httponly: 0 -> 1 (mitigates XSS access to session cookie)
- session.cookie_samesite: "" -> "Lax" (mitigates CSRF)

RFC: https://wiki.php.net/rfc/session_security_defaults
@jorgsowa
test: adjusted test files
b2414fe
@jorgsowa
test: adjusted test files
23ebec1
@jorgsowa jorgsowa force-pushed the session-security-defaults-rfc branch from 02424cb to 23ebec1 Compare May 18, 2026 19:54
@jorgsowa
Copy link
Copy Markdown
Contributor Author

jorgsowa commented May 18, 2026

All new defaults have been accepted in RFC: https://wiki.php.net/rfc/session_security_defaults

PR is ready to be merged after all tests pass.

@Girgias Girgias merged commit 27ead91 into php:master May 19, 2026
19 checks passed
TimWolla
TimWolla reviewed May 19, 2026
View reviewed changes
Comment thread php.ini-development
; enabling it is encouraged.
; vulnerability.
; https://wiki.php.net/rfc/strict_sessions
session.use_strict_mode = 0
Copy link
Copy Markdown
Member

@TimWolla TimWolla May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This entry should probably also be commented out, since it matches the default. Same for the others. Might make sense to do this change as a follow-up.

Copy link
Copy Markdown
Contributor Author

@jorgsowa jorgsowa May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point. Thanks. I will do it today.

Copy link
Copy Markdown
Contributor Author

@jorgsowa jorgsowa May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reconsidered it, and I don't think it's a good idea. Changing configuration defaults doesn't introduce breaking changes because those values have been explicitly set in php.ini. Otherwise, updating the PHP version would change the session configuration values.

So if we decide again that the defaults must be changed, the changes will only affect new PHP installations, not existing installations after an update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TimWolla TimWolla TimWolla left review comments

@Girgias Girgias Girgias approved these changes

Assignees

No one assigned

Labels

Extension: session

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jorgsowa @TimWolla @Girgias