== Why is this an issue?

PHP's ``++session.use_trans_sid++`` automatically appends the user's session id to urls when cookies are disabled. On the face of it, this seems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked by anyone who might:

* see the URL over the user's shoulder
* be sent the URL by the user
* retrieve the URL from browser history
* ...

For that reason, it's better to practice a little "tough love" with your users and force them to turn on cookies.


Since ``++session.use_trans_sid++`` is off by default, this rule raises an issue when it is explicitly enabled.


=== Noncompliant code example

[source,php]
----
; php.ini
session.use_trans_sid=1  ; Noncompliant
----


== Resources

* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Set "session.use_trans_sid" to 0 or remove this configuration.


'''
== Comments And Links
(visible only on this page)

=== on 1 Sep 2015, 06:47:24 Linda Martin wrote:
LGTM!

endif::env-github,rspecator-view[]