Posted by Michael Fesser on 10/02/60 12:00

..oO(Sebastian Lisken)

>Christian Welzel <gawain@camlann.de> wrote:
>> This is what the debian php5.ini says about use_trans_sid:
>>
>> ; trans sid support is disabled by default.
>> ; Use of trans sid may risk your users security.
>> ; Use this option with caution.
>> ; - User may send URL contains active session ID
>> ; to other person via. email/irc/etc.
>> ; - URL that contains active session ID may be stored
>> ; in publically accessible computer.
>> ; - User may access your site with the same session ID
>> ; always using URL stored in browser's history or bookmarks.
>> session.use_trans_sid = 0
>
>> So your <a href="script.php?<? echo SID; ?> opens your application
>> to exactly the facts mentioned above as it mimics session_trans_sid.

There are some more issues:

* A URL-SID will be stored in the server's log file.

* It might be sent to other(!) sites in the HTTP referrer. This is an
easy way to steal a session (it was done many times in the past on
some big freemail services).

>No, my code doesn't make a difference.
>
>Either cookies are enabled: then SID is an empty string and all that
>"my" code (it's not mine) adds is the question mark (this is not
>pleasing from a cosmetic point of view, but not the issue you mention)
>
>Or cookies are not enabled: then it's *necessary* to use the HTTP
>request to pass on the session ID, with all the risks you mention. If
>GET parameters are used, this can be done either with "my" code or with
>use_trans_sid, they have the same effect. If you say GET parameters
>shouldn't be used, what is your alternative?

Cookies. For sessions I _always_ require a cookie, I don't use URL-SIDs
anymore for the reasons mentioned above. Cookies are enabled by default
in most browsers, and people who are able to configure their browser as
they want should know enough to at least accept session cookies. If they
don't even do that, then it's their own problem, not mine.

Micha

[Back to original message]