How big Security Risk? enable session.use_trans_sid

halojoy

; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
; in publically accessible computer.
; - User may access your site with the same session ID
; always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0

I have my own apache + php.ini
Now I have downloaded a User Management script
for secure protection + login access at parts of my website.

This script requires setting turning ON this in php.ini
session.use_trans_sid = 1
But I have the default php.ini setting: = 0 (OFF)

As you can see above my quote of the php.ini comment says:
; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.

My questions are now:

How big security risk can this be?
When this so called 'secure user authtentication' script
wants session.use_trans_sid to be enabled.
Considerations for my other php scripts, if turning this ON?

thanks
halojoy

mjax

The risk is that if the hacker knows the sessionid of another user, the hacker can easily take over the session by including something like PHPSESSID=sessionid in the URL.

Sessionids are not easily guessed. However they can be obtained by cross-site-scripting or javascript injection exploits.

Here's some code to fight session hijacking very effectively:

session_start();
if(version_compare(‘5.1.0’, phpversion(), ‘>’)) {
	session_regenerate_id(TRUE);
} else {
	unlink(ini_get(‘session.save_path’).’/sess_’.session_id());
session_regenerate_id();
}

Just replace your existing call to session_start() with the code above. It works by generating a new sessionid on every request, thus making obtained sessionids useless.

halojoy

thanks
both for your code
and your good explaination
🙂