Consortium News
Promotional Links
Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information

use_trans_sid

Test Description

This test determines if use_trans_sid is enabled.

Security Implications

When use_trans_sid is enabled, PHP will pass the session ID via the URL. This makes it far easier for a malicious party to obtain an active session ID and hijack the session.

Recommendations

Disable use_trans_sid in your PHP environment. You can do this in the php.ini file:

; Disable use_trans_sid for security reasons
session.use_trans_sid = 'off'

The setting can also be disabled in apache's httpd.conf file:

# Disable use_trans_sid for security reasons
php_flag  session.use_trans_sid  off

Under PHP5, you can also use a .htaccess file to disable use_trans_sid.

More Information

« Test information index

Get PhpSecInfo