Home About Articles Contact Library Projects

Consortium News

Fri, 20 Oct 2006
PHP Security Consortium Launches New Project - PHPSecInfo

Wed, 16 Nov 2005
Daniel Convissor Elected as Principal

Promotional Links

Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information

use_trans_sid

Test Description

This test determines if use_trans_sid is enabled.

Security Implications

When use_trans_sid is enabled, PHP will pass the session ID via the URL. This makes it far easier for a malicious party to obtain an active session ID and hijack the session.

Recommendations

Disable use_trans_sid in your PHP environment. You can do this in the php.ini file:

; Disable use_trans_sid for security reasons
session.use_trans_sid = 'off'

The setting can also be disabled in apache's httpd.conf file:

# Disable use_trans_sid for security reasons
php_flag  session.use_trans_sid  off

Under PHP5, you can also use a .htaccess file to disable use_trans_sid.

More Information

« Test information index

Get PhpSecInfo

Download Now »

Version: 0.2.1 20070406
md5 hash

Documentation

Mailing List »

Screenshots:

PhpSecInfo screenshot

PhpSecInfo screenshot