Send a blank email to [email protected] to get a copy of this message
> Le 13 sept. 2024 à 16:13, etkaar <[email protected]> a écrit :> > Hi!> > I've created this issue in January 2022 but it seems it wasn't noticed yet (since you
> probably do watch the mailing lists more than GitHub):> https://github.com/php/php-src/issues/7913> > Kind Regards,> etkaar
Hi,
* Defaulting session.cookie_httponly to true seems very reasonable.
* Beware that if you set session.cookie_secure to true, you will break
websites that are not served across https. Moreover, the reason of the breakage may not be evident.
* You forgot another obvious setting: session.cookie_samesite must be "Lax"
by default.
* We should also consider setting session.use_strict_mode to true, in
order to mitigate session fixation attacks.
—Claude