Posted by Christian Welzel on 10/30/23 12:00
Sebastian Lisken wrote:
> guess that the code was developed in a context where it wasn't. As it
> turns out, on my WAMP 5 installation it is disabled too. I've enabled
This is what the debian php5.ini says about use_trans_sid:
; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
; in publically accessible computer.
; - User may access your site with the same session ID
; always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0
So your <a href="script.php?<? echo SID; ?> opens your application
to exactly the facts mentioned above as it mimics session_trans_sid.
--
MfG, Christian Welzel
GPG-Key: http://www.camlann.de/key.asc
Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
[Back to original message]
|