17

Can anyone explain me what use_strict_mode in php.ini config is responsible for? In documentation it tells me the following:

session.use_strict_mode specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode. Defaults to 0 (disabled).

My rudimentary understanding is that it creates always a session ID for you, but I already saw another config option with does the same. So I assume that my understanding is wrong. So why do we need it? (The closest I saw is that it prevents OWASP A9, but it does not give me a lot of information).

Salvador Dali
  • 214,103
  • 147
  • 703
  • 753
  • OWASP A9? I wonder how you pick together those "knowns" – hakre May 07 '14 at 22:27
  • 2
    @hakre I did not get your comment. Can you please reword it? – Salvador Dali May 07 '14 at 22:31
  • OWASP A9 is nothing to prevent, it's a description of things done wrong. There is also no relation to session as far as I can say. So I just wonder, how do you manage to connect A9 to session.use_strict_mode (and also a bit as well how you connect that to session.auto_start). – hakre May 07 '14 at 22:34
  • 1
    Is there anything bad with a question? Or may be it does not fall into paradigm of `I am using magento/wordpress and can not configure a plugin?` – Salvador Dali May 07 '14 at 22:44
  • I didn't DV, but asking about "how can it be helpful" is often very broad and not clear what you aim with asking. Making that more clear can improve a question. – hakre May 08 '14 at 07:19
  • @hakre thanks. Got it, I removed that part. So right now I am asking only what is this option doing. Hope this is ok. – Salvador Dali May 08 '14 at 08:14

1 Answers1

21

No that is not session auto start.

That is just, that if someone creates a session ID and send it to your server, and PHP realizes that there is no session so far with that ID (when strict mode is on) , PHP will create a new, different session ID an initializes the session to that new one instead to (as when strict mode is off) the user-injected value for session ID.

A more elaboreated introduction and the motivation about Strict Session ID Handling in PHP has been outlined in an RFC in the PHP wiki: Request for Comments: Strict Sessions.

So with strict mode off, a user can decide which session ID she wants to use.

With strict mode on, the user can not decide that.

So you need it when you do not want to allow a user to pre-define the session ID value. You normally want to prevent that to reduce the attack surface.

hakre
  • 193,403
  • 52
  • 435
  • 836
  • 2
    just to make sure I got it right. I am in `strict_mode off` and no session was created. I send a request back to server and tamper with my cookie posting `PHPSESSID='hi'`, so the server initiates a session for me with `PHPSESSID` 'hi'. But if I do the same with `strict_mode` it will not happen. Am I right? – Salvador Dali May 07 '14 at 22:37
  • 2
    Yes, that is basically what the part you quoted already says in pretty much plain English … – CBroe May 07 '14 at 22:39
  • This is also the reason why when something important happens (like the user logs-in or a session time-out period has passed) the session ID has to be changed by the webapp. Instead of strict-mode you can have a counter inside the session and also ensure that when the session is created the session ID has to immediately change. – hakre May 08 '14 at 07:18
  • @SalvadorDali: Added another link that should explain it from a greater amount of POVs and angles. – hakre May 18 '14 at 12:14
  • Maybe you're using a different session_id try checking your session.use_strict_mode configuration. – Jean Carlo Machado Jun 07 '16 at 22:27