Hi, At 08:18 14-8-2002, Yasuo Ohgaki wrote:
>Rasmus Lerdorf wrote: >>As much as I think trans-sid sucks from a performance perspective, what's >>with this comment in php.ini-dist? >>; trans sid support is disabled by default. >>; Use of trans sid may risk your users security. It may not be >>; feasible to use this option for some sites. Use this option with caution. >>session.use_trans_sid = 0 >>What security issue is this referring to? > >One of security risk is sending URL that contains >active session ID to others. Using sessions as the only method for authentication en permission grants is a security risk, regardless of the client-side storage of the session ID. It's easy enough to send a cookie to somebody else. >Another is storing URL that contains session >ID to history. Computer may be public one. >User may access server with the same session ID >always. etc If this is a public computer (I think you mean like in an internet cafe or library) the same applies to cookies, only then it's less obvious, so I'd say trans-sid is more secure. The 'always' factor depends on the session timeout. If there is no session with that id, the session ID is worthless. Met vriendelijke groeten / With kind regards, Webmaster IDG.nl Melvyn Sopacua -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
