Posted by Christian Welzel on 11/12/23 12:00

Sebastian Lisken wrote:

> guess that the code was developed in a context where it wasn't. As it
> turns out, on my WAMP 5 installation it is disabled too. I've enabled

This is what the debian php5.ini says about use_trans_sid:

; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
; in publically accessible computer.
; - User may access your site with the same session ID
; always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0

So your <a href="script.php?<? echo SID; ?> opens your application
to exactly the facts mentioned above as it mimics session_trans_sid.

--
MfG, Christian Welzel

GPG-Key: http://www.camlann.de/key.asc
Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15

• Next in forum: Re: Rotating URL website Code
• Prev in forum: Re: Rotating URL website Code
• Thread view: Re: Can SID be trusted?

[Reply to this message]