16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
50 lines
1.4 KiB
Plaintext
50 lines
1.4 KiB
Plaintext
== Why is this an issue?
|
|
|
|
PHP's ``++session.use_trans_sid++`` automatically appends the user's session id to urls when cookies are disabled. On the face of it, this seems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked by anyone who might:
|
|
|
|
* see the URL over the user's shoulder
|
|
* be sent the URL by the user
|
|
* retrieve the URL from browser history
|
|
* ...
|
|
|
|
For that reason, it's better to practice a little "tough love" with your users and force them to turn on cookies.
|
|
|
|
|
|
Since ``++session.use_trans_sid++`` is off by default, this rule raises an issue when it is explicitly enabled.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,php]
|
|
----
|
|
; php.ini
|
|
session.use_trans_sid=1 ; Noncompliant
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
|
|
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Set "session.use_trans_sid" to 0 or remove this configuration.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 1 Sep 2015, 06:47:24 Linda Martin wrote:
|
|
LGTM!
|
|
|
|
endif::env-github,rspecator-view[]
|