PHP session tokens are normally transmitted through HTTP cookies. However, for clients that do not support cookies and when the PHP `session.use_trans_sid` setting is enabled, those tokens can be transmitted as URL parameters. == Why is this an issue? GET URL parameter can be disclosed in a variety of ways: * Directly in a web browser address bar. * In navigation history. * In web servers or intermediate proxies log files. === What is the potential impact? Attackers with access to any of those disclosure locations will be able to see and steal a victim's session token. They can then use it to log in as the user, impersonate their account, and take advantage of their privileges. Such an attack can be more or less severe depending on the victim's privileges. Common security impacts range from data theft to application takeover. ==== Data theft Attackers with access to a compromised account will be able to disclose any information stored on it. This includes the Personally Identifiable Information (PII) of the user. The confidentiality of PII is a requirement from national security regulatory authorities in most countries. Insufficiently protecting this data could have legal consequences and lead to fines or other prosecutions. ==== Application takeover Attackers compromise the account of a high-privileged user could modify internal web application logic, disrupt workflows, or change other application's settings in a way that will give them full control over it. Such an attack would lead to reputational damages and financial and legal consequences. == How to fix it === Code examples ==== Noncompliant code example [source,ini,diff-id=1,diff-type=noncompliant] ---- ; php.ini session.use_trans_sid=1 ; Noncompliant ---- ==== Compliant solution [source,ini,diff-id=1,diff-type=compliant] ---- ; php.ini session.use_trans_sid=0 ---- === How does this work? The compliant code example disables the `session.use_trans_sid` setting. Note that this parameter is off by default. == Resources === Standards * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message Set "session.use_trans_sid" to 0 or remove this configuration. ''' == Comments And Links (visible only on this page) === on 1 Sep 2015, 06:47:24 Linda Martin wrote: LGTM! endif::env-github,rspecator-view[]