Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3336

"session.use_trans_sid" should not be enabled

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Set "session.use_trans_sid" to 0 or remove this configuration.
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Covered Languages:
      PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • OWASP:
      A6

      Description

      PHP's session.use_trans_sid automatically appends the user's session id to urls when cookies are disabled. On the face of it, this seems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked by anyone who might:

      • see the URL over the user's shoulder
      • be sent the URL by the user
      • retrieve the URL from browser history
      • ...

      For that reason, it's better to practice a little "tough love" with your users and force them to turn on cookies.

      Since session.use_trans_sid is off by default, this rule raises an issue when it is explicitly enabled.

      Noncompliant Code Example

      ; php.ini
      session.use_trans_sid=1  ; Noncompliant
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: