From 3c683771768d33e643356e6d2dbe300c6214e246 Mon Sep 17 00:00:00 2001 From: DaWe Date: Fri, 15 Mar 2024 14:25:49 +0700 Subject: [PATCH 1/4] Make session cookies are httpOnly by default --- ext/session/session.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/session/session.c b/ext/session/session.c index 6588ccc4da5f4..1bff1094f74ed 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -817,7 +817,7 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("session.cookie_path", "/", PHP_INI_ALL, OnUpdateSessionString, cookie_path, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cookie_domain", "", PHP_INI_ALL, OnUpdateSessionString, cookie_domain, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.cookie_secure", "0", PHP_INI_ALL, OnUpdateSessionBool, cookie_secure, php_ps_globals, ps_globals) - STD_PHP_INI_BOOLEAN("session.cookie_httponly", "0", PHP_INI_ALL, OnUpdateSessionBool, cookie_httponly, php_ps_globals, ps_globals) + STD_PHP_INI_BOOLEAN("session.cookie_httponly", "1", PHP_INI_ALL, OnUpdateSessionBool, cookie_httponly, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cookie_samesite", "", PHP_INI_ALL, OnUpdateSessionString, cookie_samesite, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateSessionBool, use_cookies, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateSessionBool, use_only_cookies, php_ps_globals, ps_globals) From bcf235cacf95a54214f1bcec2f97f6e24117ce88 Mon Sep 17 00:00:00 2001 From: DaWe Date: Fri, 15 Mar 2024 15:28:31 +0700 Subject: [PATCH 2/4] session strick_mode 1 by default --- ext/session/session.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/session/session.c b/ext/session/session.c index 1bff1094f74ed..c1b45eba5eb8c 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -821,7 +821,7 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("session.cookie_samesite", "", PHP_INI_ALL, OnUpdateSessionString, cookie_samesite, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateSessionBool, use_cookies, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateSessionBool, use_only_cookies, php_ps_globals, ps_globals) - STD_PHP_INI_BOOLEAN("session.use_strict_mode", "0", PHP_INI_ALL, OnUpdateSessionBool, use_strict_mode, php_ps_globals, ps_globals) + STD_PHP_INI_BOOLEAN("session.use_strict_mode", "1", PHP_INI_ALL, OnUpdateSessionBool, use_strict_mode, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateSessionString, extern_referer_chk, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateSessionString, cache_limiter, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateSessionLong, cache_expire, php_ps_globals, ps_globals) From 5c4cea4a84afba60dd4da5482b2dea96c2a32a08 Mon Sep 17 00:00:00 2001 From: DaWe Date: Fri, 15 Mar 2024 15:40:24 +0700 Subject: [PATCH 3/4] session.use_strict_mode default change in php.ini-production --- php.ini-production | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/php.ini-production b/php.ini-production index 56b0905f2e090..657f8c1896d95 100644 --- a/php.ini-production +++ b/php.ini-production @@ -1319,7 +1319,7 @@ session.save_handler = files ; vulnerability. It is disabled by default for maximum compatibility, but ; enabling it is encouraged. ; https://wiki.php.net/rfc/strict_sessions -session.use_strict_mode = 0 +session.use_strict_mode = 1 ; Whether to use cookies. ; https://php.net/session.use-cookies From 21d3b4a673488a7e2bd6ec0b6adde3c811efe4f0 Mon Sep 17 00:00:00 2001 From: DaWe Date: Fri, 15 Mar 2024 15:41:46 +0700 Subject: [PATCH 4/4] change default values --- php.ini-development | 2 +- php.ini-production | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/php.ini-development b/php.ini-development index 730a400ec9402..944848bd0aa88 100644 --- a/php.ini-development +++ b/php.ini-development @@ -1317,7 +1317,7 @@ session.save_handler = files ; vulnerability. It is disabled by default for maximum compatibility, but ; enabling it is encouraged. ; https://wiki.php.net/rfc/strict_sessions -session.use_strict_mode = 0 +session.use_strict_mode = 1 ; Whether to use cookies. ; https://php.net/session.use-cookies diff --git a/php.ini-production b/php.ini-production index 657f8c1896d95..86519879136e2 100644 --- a/php.ini-production +++ b/php.ini-production @@ -1358,7 +1358,7 @@ session.cookie_domain = ; Whether or not to add the httpOnly flag to the cookie, which makes it ; inaccessible to browser scripting languages such as JavaScript. ; https://php.net/session.cookie-httponly -session.cookie_httponly = +session.cookie_httponly = 1 ; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF) ; Current valid values are "Strict", "Lax" or "None". When using "None",