Posted by Jerry Stuckle on 11/03/44 12:00
Christian Welzel wrote:
> Sebastian Lisken wrote:
>
>> guess that the code was developed in a context where it wasn't. As it
>> turns out, on my WAMP 5 installation it is disabled too. I've enabled
>
> This is what the debian php5.ini says about use_trans_sid:
>
> ; trans sid support is disabled by default.
> ; Use of trans sid may risk your users security.
> ; Use this option with caution.
> ; - User may send URL contains active session ID
> ; to other person via. email/irc/etc.
> ; - URL that contains active session ID may be stored
> ; in publically accessible computer.
> ; - User may access your site with the same session ID
> ; always using URL stored in browser's history or bookmarks.
> session.use_trans_sid = 0
>
> So your <a href="script.php?<? echo SID; ?> opens your application
> to exactly the facts mentioned above as it mimics session_trans_sid.
>
Yea, some of the Debian people aren't very smart. That's why I always
compile my own PHP on Debian and have my own configuration file. And
even if it isn't enabled, it's quite easy to enable.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|