Hello internals,
I would like to propose RFC about securing the session configuration defaults. It’s been already discussed many times in the github issues, so I would like to finally create and RFC about it.
Link:
https://wiki.php.net/rfc/session_security_defaults
Kind regards,
Jorg
On Saturday, 11 April 2026 at 19:26, Jorg Sowa <jorg.sowa@gmail.com> wrote:
Hello internals,
I would like to propose RFC about securing the session configuration defaults. It's been already discussed many times in the github issues, so I would like to finally create and RFC about it.
Link:
PHP: rfc:session_security_defaultsKind regards,
Jorg
Hello,
Thank you for tackling this, I was planning on doing a similar RFC to modernize ext/session.
The main change I would like to see is to actually *deprecate* the session.use_strict_mode INI setting and to always force it to 1.
This would require userland SessionHandlers to always implement the [create_sid](PHP: SessionIdInterface::create_sid - Manual) and [validateId](PHP: SessionUpdateTimestampHandlerInterface::validateId - Manual) methods.
Now for some reason these are on 2 different interfaces which I don't understand.
Implementation wise, I wouldn't force classes to implement the different interfaces, but just emit a deprecation that these methods will be required and move the methods onto the generic SessionHandlerInterface in PHP 9.
Happy to work on this implementation of this if needed.
Best regards,
Gina P. Banyard
Thanks Gina for input. I see it as an improvement as well and would be happy to help with it. However, I like to keep things separated in this RFC.
If no new comments will arrive I would like to move to voting phase next week.
Kind regards,
Jorg