rspec/rules/S3336/php/rule.adoc

PHP's ``++session.use_trans_sid++`` automatically appends the user's session id to urls when cookies are disabled. On the face of it, this seems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked by anyone who might:

* see the URL over the user's shoulder
* be sent the URL by the user
* retrieve the URL from browser history
* ...

For that reason, it's better to practice a little "tough love" with your users and force them to turn on cookies.


Since ``++session.use_trans_sid++`` is off by default, this rule raises an issue when it is explicitly enabled.


== Noncompliant Code Example

[source,php]
----
; php.ini
session.use_trans_sid=1  ; Noncompliant
----


== See

* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			PHP's ``++session.use_trans_sid++`` automatically appends the user's session id to urls when cookies are disabled. On the face of it, this seems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked by anyone who might:

			`* see the URL over the user's shoulder`
			`* be sent the URL by the user`
			`* retrieve the URL from browser history`
			`* ...`

			`For that reason, it's better to practice a little "tough love" with your users and force them to turn on cookies.`


			Since ``++session.use_trans_sid++`` is off by default, this rule raises an issue when it is explicitly enabled.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Noncompliant Code Example`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`; php.ini`
			`session.use_trans_sid=1 ; Noncompliant`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`