Geek Answers Handbook

Use_strict_mode in php sessions

Can someone explain to me that use_strict_mode in php.ini configuration is responding? In the documentation, he tells me the following:

session.use_strict_mode indicates whether the module will use strict session mode. If this mode is enabled, the module does not accept an uninitialized session identifier. If an uninitialized session identifier is sent from the browser, a new session identifier is sent to the browser. Applications are protected from session logging through strict mode session adoption. The default values ​​are up to 0 (disabled).

My rudimentary understanding is that a session identifier is always created for it, but I have already seen another option with the same. Therefore, I assume that my understanding is erroneous. So why do we need this? (The closest I've seen is that it prevents OWASP A9, but it does not give me a lot of information).

+6
source share
1 answer

No, this is not an automatic session start.

It is simple if someone creates a session identifier and sends it to your server, and PHP understands that there is still no session with this identifier (when strict mode is enabled), PHP will create a new, different session. The identifier initializes the session for this new one instead (as in strict mode off) value entered by the user for the session identifier.

A more detailed introduction and motivation regarding the string processing of the session identifier in PHP was described in the RFC on the PHP wiki: Request for Comments: Stringent Sessions .

Thus, in strict mode, the user can decide which session identifier she wants to use.

In strict mode, the user cannot solve this.

Therefore, you need this if you do not want the user to predefine the value of the session identifier. Usually you want to prevent this in order to reduce the attack surface.

+8
source

More articles:


All Articles