session.use_trans_sid

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

session.use_trans_sid

Post by seodevhead »

I've been doing some research on php.net about session.use_trans_sid and wanted to ask if this poses a security risk to have enabled? Why would you ever want the server to automatically allow appeneded PHPSESSID's to URLs?? This would allow for session fixation/hijacking would it not? What would be the consequences if I turned it off? Thanks for your advice!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

if you have bad code, it'll allow for fixation. Hijacking is a slightly different matter we already went through. Having it off would mean anyone with cookies disabled will not be able to use the features associated with session enabled pages. It only really pose a threat against users who have cookies disabled (or the cookies don't set for some reason) and click an external link where their browser sets the referrer to the url containing the session id.

Changing the session id regularly can avoid hijacking issues, but you need to have a long enough id to help here. The ones built into PHP are generally fine. PHP only injects the session id information into local link information, if enabled.
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

Thanks for the advice feyd...

So just to get clear.. session.use_trans_sid set to OFF "ONLY" affects those whom have 'accepting cookies' turned OFF?

Thanks.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

provided you have the cookie setting on, yes.
Post Reply