On Saturday, 11 April 2026 at 19:26, Jorg Sowa <[email protected]> wrote:
> Hello internals, > I would like to propose RFC about securing the session configuration > defaults. It's been already discussed many times in the github issues, so I > would like to finally create and RFC about it. > Link: > https://wiki.php.net/rfc/session_security_defaults > > Kind regards, > Jorg Hello, Thank you for tackling this, I was planning on doing a similar RFC to modernize ext/session. The main change I would like to see is to actually *deprecate* the session.use_strict_mode INI setting and to always force it to 1. This would require userland SessionHandlers to always implement the [create_sid](https://www.php.net/manual/en/sessionidinterface.create-sid.php) and [validateId](https://www.php.net/manual/en/sessionupdatetimestamphandlerinterface.validateid.php) methods. Now for some reason these are on 2 different interfaces which I don't understand. Implementation wise, I wouldn't force classes to implement the different interfaces, but just emit a deprecation that these methods will be required and move the methods onto the generic SessionHandlerInterface in PHP 9. > Happy to work on this implementation of this if needed. Best regards, Gina P. Banyard
