Page 1 of 1
session.use_trans_sid
Posted: Mon Feb 20, 2006 1:37 pm
by seodevhead
I've been doing some research on php.net about session.use_trans_sid and wanted to ask if this poses a security risk to have enabled? Why would you ever want the server to automatically allow appeneded PHPSESSID's to URLs?? This would allow for session fixation/hijacking would it not? What would be the consequences if I turned it off? Thanks for your advice!
Posted: Mon Feb 20, 2006 2:26 pm
by feyd
if you have bad code, it'll allow for fixation. Hijacking is a slightly different matter we already went through. Having it off would mean anyone with cookies disabled will not be able to use the features associated with session enabled pages. It only really pose a threat against users who have cookies disabled (or the cookies don't set for some reason) and click an external link where their browser sets the referrer to the url containing the session id.
Changing the session id regularly can avoid hijacking issues, but you need to have a long enough id to help here. The ones built into PHP are generally fine. PHP only injects the session id information into local link information, if enabled.
Posted: Mon Feb 20, 2006 4:04 pm
by seodevhead
Thanks for the advice feyd...
So just to get clear.. session.use_trans_sid set to OFF "ONLY" affects those whom have 'accepting cookies' turned OFF?
Thanks.
Posted: Mon Feb 20, 2006 4:13 pm
by feyd
provided you have the cookie setting on, yes.