PHP’s session.use_trans_sid
automatically appends the user’s session id to urls when cookies are disabled. On the face of it, this
seems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked
by anyone who might:
- see the URL over the user’s shoulder
- be sent the URL by the user
- retrieve the URL from browser history
- …
For that reason, it’s better to practice a little "tough love" with your users and force them to turn on cookies.
Since session.use_trans_sid
is off by default, this rule raises an issue when it is explicitly enabled.
Noncompliant Code Example
; php.ini
session.use_trans_sid=1 ; Noncompliant
See