Originally posted by pdaoust
hmmmmmmmmmm... I think that both the <input type="hidden"> or the tagging of the session ID onto the URL are fairly low-security ways of passing the session ID around... you'd probably want to use either cookies or POST data.
Using <input type="hidden"> IS availing itself to the POST, unless the form action is set to GET.
My PHP does not have session.use_cookies_only, I do not understand the introduction of that setting. It seems to me setting use_trans_id to 'Off' would accomplish the same purpose, but I do not use native sessions so I might be missing some aspect of their behavior.
The default settings in the PHP.ini usta use cookies by default and only insert the session id in the URL if the client does not accept cookies. I just checked the documentation and it seems to say that is the default behavior $_SESSION uses but it also appears use_trans_id is set to '0' by default. Does turning that off ALWAYS insert into the URL? I am obviously missing something here, or reading something wrong.
Forcing cookies is more secure if $SESSION is the only means you are using to validate, but $SESSION is not a secure form of validation anyway. For securing $_SESSION you should collect client environmental variables to validate the session against, which would signifigantly reduce any breaches via putting the ID in the URL.
Many visitors have cookies disabled so you really should write it into your code to tell those visitors why they are not able to log in if you force cookies. Even cookies can be sniffed though, and no matter what you do the login password is passed in plain text, so SSL is the next level of maintaining security where it is important.
