26 lines
891 B
Plaintext
26 lines
891 B
Plaintext
PHP's ``++session.use_trans_sid++`` automatically appends the user's session id to urls when cookies are disabled. On the face of it, this seems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked by anyone who might:
|
|
|
|
* see the URL over the user's shoulder
|
|
* be sent the URL by the user
|
|
* retrieve the URL from browser history
|
|
* ...
|
|
|
|
For that reason, it's better to practice a little "tough love" with your users and force them to turn on cookies.
|
|
|
|
|
|
Since ``++session.use_trans_sid++`` is off by default, this rule raises an issue when it is explicitly enabled.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
; php.ini
|
|
session.use_trans_sid=1 ; Noncompliant
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
|