Menu
Can anyone explain me what use_strict_mode in php.ini config is responsible for? In documentation it tells me the following:
session.use_strict_mode specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode. Defaults to 0 (disabled).
My rudimentary understanding is that it creates always a session ID for you, but I already saw another config option with does the same. So I assume that my understanding is wrong. So why do we need it? (The closest I saw is that it prevents OWASP A9, but it does not give me a lot of information).
326
session. use_strict_mode specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session IDs. If an uninitialized session ID is sent from the browser, a new session ID is sent to the browser.
session. cookie_secure specifies whether cookies should only be sent over secure connections (HTTPS). If you're using HTTP, you won't get any cookies from the server. That's why you don't have a session.
PHP $_SESSION is an associative array that contains all session variables. It is used to set and get session variable values. Example: Store information.
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie. When session_start() is called or when a session auto starts, PHP will call the open and read session save handlers.
No that is not session auto start.
That is just, that if someone creates a session ID and send it to your server, and PHP realizes that there is no session so far with that ID (when strict mode is on) , PHP will create a new, different session ID an initializes the session to that new one instead to (as when strict mode is off) the user-injected value for session ID.
A more elaboreated introduction and the motivation about Strict Session ID Handling in PHP has been outlined in an RFC in the PHP wiki: Request for Comments: Strict Sessions.
So with strict mode off, a user can decide which session ID she wants to use.
With strict mode on, the user can not decide that.
So you need it when you do not want to allow a user to pre-define the session ID value. You normally want to prevent that to reduce the attack surface.
85
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
