use_strict_mode in php sessions

Question

Can anyone explain me what use_strict_mode in php.ini config is responsible for? In documentation it tells me the following:

session.use_strict_mode speci

Answer 1

No that is not session auto start.

That is just, that if someone creates a session ID and send it to your server, and PHP realizes that there is no session so far with that ID (when strict mode is on) , PHP will create a new, different session ID an initializes the session to that new one instead to (as when strict mode is off) the user-injected value for session ID.

A more elaboreated introduction and the motivation about Strict Session ID Handling in PHP has been outlined in an RFC in the PHP wiki: Request for Comments: Strict Sessions.

So with strict mode off, a user can decide which session ID she wants to use.

With strict mode on, the user can not decide that.

So you need it when you do not want to allow a user to pre-define the session ID value. You normally want to prevent that to reduce the attack surface.