PHP session.use_only_cookies disabled

Description

When use_only_cookies is disabled, PHP will pass the session ID via the URL. This makes the application more vulnerable to session hijacking attacks. Session hijacking is basically a form of identity theft wherein a hacker impersonates a legitimate user by stealing his session ID. When the session token is transmitted in a cookie, and the request is made on a secure channel (that is, it uses SSL), the token is secure.

Remediation

You can enabled session.use_only_cookies from php.ini or .htaccess.

php.ini
session.use_only_cookies = 'on'

.htaccess
php_flag session.use_only_cookies on

References
Severity
Classification
Tags
  • Configuration