PHP's ``++session.use_trans_sid++`` automatically appends the user's session id to urls when cookies are disabled. On the face of it, this seems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked by anyone who might:

* see the URL over the user's shoulder
* be sent the URL by the user
* retrieve the URL from browser history
* ...

For that reason, it's better to practice a little "tough love" with your users and force them to turn on cookies.


Since ``++session.use_trans_sid++`` is off by default, this rule raises an issue when it is explicitly enabled.


== Noncompliant Code Example

----
; php.ini
session.use_trans_sid=1  ; Noncompliant
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration