PHP session.use_trans_sid enabled

Description
  • When use_trans_sid is enabled, PHP will pass the session ID via the URL. This makes the application more vulnerable to session hijacking attacks. Session hijacking is basically a form of identity theft wherein a hacker impersonates a legitimate user by stealing his session ID. When the session token is transmitted in a cookie, and the request is made on a secure channel (that is, it uses SSL), the token is secure.
Remediation
  • You can disable session.use_trans_sid from php.ini or .htaccess.<br/><br/><strong>php.ini</strong><br/>session.use_trans_sid = 'off'<br/><br/><strong>.htaccess</strong><br/>php_flag session.use_trans_sid off<br/>
References