Hi!
I've created this issue in January 2022 but it seems it wasn't noticed yet (since you probably do watch the mailing lists more than GitHub):
https://github.com/php/php-src/issues/7913
Kind Regards,
etkaar
Le 13 sept. 2024 à 16:13, etkaar etkaar@akayo.eu a écrit :
Hi! I've created this issue in January 2022 but it seems it wasn't noticed yet (since you probably do watch the mailing lists more than GitHub): [https://github.com/php/php-src/issues/7913](https://github.com/php/php-src/issues/7913) Kind Regards, etkaar
Hi,
-
Defaulting
session.cookie_httponlytotrueseems very reasonable. -
Beware that if you set
session.cookie_securetotrue, you will break websites that are not served across https. Moreover, the reason of the breakage may not be evident. -
You forgot another obvious setting:
session.cookie_samesitemust be “Lax” by default. -
We should also consider setting
session.use_strict_modetotrue, in order to mitigate session fixation attacks.
—Claude
On Fri, Sep 13, 2024 at 9:51 PM Claude Pache <claude.pache@gmail.com> wrote:
Le 13 sept. 2024 à 16:13, etkaar <etkaar@akayo.eu> a écrit :
Hi! I've created this issue in January 2022 but it seems it wasn't noticed yet (since you probably do watch the mailing lists more than GitHub): [https://github.com/php/php-src/issues/7913](https://github.com/php/php-src/issues/7913) Kind Regards, etkaarHi,
Defaulting
session.cookie_httponlytotrueseems very reasonable.Beware that if you set
session.cookie_securetotrue, you will break websites that are not served across https. Moreover, the reason of the breakage may not be evident.You forgot another obvious setting:
session.cookie_samesitemust be “Lax” by default.We should also consider setting
session.use_strict_modetotrue, in order to mitigate session fixation attacks.—Claude
Hi,
Maybe, session.cookie_secure could use an additional value like 'auto' which would enable it for https and disable for http. Symfony does it too https://symfony.com/doc/current/reference/configuration/framework.html#cookie-secure
Kind regards,
Faizan