Rasmus Lerdorf wrote: > As much as I think trans-sid sucks from a performance perspective, what's > with this comment in php.ini-dist? > > ; trans sid support is disabled by default. > ; Use of trans sid may risk your users security. It may not be > ; feasible to use this option for some sites. Use this option with caution. > session.use_trans_sid = 0 > > What security issue is this referring to? >
One of security risk is sending URL that contains active session ID to others. Another is storing URL that contains session ID to history. Computer may be public one. User may access server with the same session ID always. etc -- Yasuo Ohgaki -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
