session.use_trans_sid
Moderator: General Moderators
- seodevhead
- Forum Regular
- Posts: 705
- Joined: Sat Oct 08, 2005 8:18 pm
- Location: Windermere, FL
session.use_trans_sid
I've been doing some research on php.net about session.use_trans_sid and wanted to ask if this poses a security risk to have enabled? Why would you ever want the server to automatically allow appeneded PHPSESSID's to URLs?? This would allow for session fixation/hijacking would it not? What would be the consequences if I turned it off? Thanks for your advice!
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
if you have bad code, it'll allow for fixation. Hijacking is a slightly different matter we already went through. Having it off would mean anyone with cookies disabled will not be able to use the features associated with session enabled pages. It only really pose a threat against users who have cookies disabled (or the cookies don't set for some reason) and click an external link where their browser sets the referrer to the url containing the session id.
Changing the session id regularly can avoid hijacking issues, but you need to have a long enough id to help here. The ones built into PHP are generally fine. PHP only injects the session id information into local link information, if enabled.
Changing the session id regularly can avoid hijacking issues, but you need to have a long enough id to help here. The ones built into PHP are generally fine. PHP only injects the session id information into local link information, if enabled.
- seodevhead
- Forum Regular
- Posts: 705
- Joined: Sat Oct 08, 2005 8:18 pm
- Location: Windermere, FL