Posted by Chung Leong on 11/16/06 15:15

Erwin Moller wrote:
> So url rewriting doesn't give less or more security than cookie based
> PHPSESSID transport...

I think you forgot about the HTTP Referer header. If your site have any
external links--or worse, links to external images--then the session ID
is easily compromised if it sits in the URL.

> There are two possible extra things to pay attention to:
> a) On shared hosting environments, on most setups, anybody with access on
> that server can read the the filenames and content of cookies belonging to
> other sites. So if somebody on the same server want to be a bad guy, they
> can just steal sessions.

Just the contents of the session file, not the cookie.

> So my advise would be to just use session.use_trans_sid to support cookie
> disabled browsers while not giving away security (since the security is low
> already).

trans_sid doesn't work very well, especially when your site makes use
of Javascript. My advise is to turn it off, since using the feature
means doubling your QA time. Someone savvy enough to disable cookie is
probably savvy enough to make an exception for your site.

[Back to original message]