Reputation: 49381
php session.use_trans_sid
I am not clear on the meaning and usage of php's session.use_trans_id .
On the online documentation, it says:
the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically. Does this mean it will ALWAYS add the session id? Or only when cookies are not working?
Will it automatically add it to javascript's window.location or ajax calls?
Also, in the php.ini file, it says:
trans sid support is disabled by default.
Use of trans sid may risk your users security.
Use this option with caution.
- User may send URL contains active session ID
to other person via. email/irc/etc.
- URL that contains active session ID may be stored
in publically accessible computer.
- User may access your site with the same session ID
always using URL stored in browser's history or bookmarks.
http://php.net/session.use-trans-sid
I'm confused, the online docs said that Unless you are using PHP 4.2.0 or later, you need to enable it manually. So why would it be disabled by default? (I'm using php 5).
Also, isn't this feature NECESSARY to handle users with cookies disabled?
Upvotes: 4
Views: 27450
Answers (4)
Reputation: 3634
"Does this mean it will ALWAYS add the session id? Or only when cookies are not working?"
- Only when cookies are not working. Plus, if both
session.use_trans_sidandsession.use_cookiesare 1, thensession.use_only_cookiesdecides: 1 will disable URL-rewriting. See this nice article.
"Will it automatically add it to javascript's window.location or ajax calls?"
- No. PHP does not know what Ajax is, it just rewrites literal URLs in its page output buffer (note how any linked scripts will break the session as soon as they have a hardcoded URL to the site).
"Unless you are using PHP 4.2.0 or later, you need to enable it manually"
- That (indeed confusingly) meant recompiling PHP < 4.2. For PHP5, it's just disabled in the config (for reasons you quoted from php.ini).
"Also, isn't this feature NECESSARY to handle users with cookies disabled?"
- Yes, it is. (Unless you provide some custom Javascript + PHP solution for some highly special case with crippled usability & generous trade-offs.)
Upvotes: 4
Reputation: 57
The risk is that someone could give you link with sid and you would use that link to login and them they would have active session where you have logged in.
Upvotes: 4
Reputation: 21
You can go with this:
if(isset($_COOKIE['session_name'])){
ini_set("session.use_trans_sid",false);
session_start();
///////////////////
//any hard tracking code or hard work goes here
// like $_SESSION['msisdn']="9455366212";
///////////////////
$_SESSION['cookie_support']=1;
}else{
ini_set("session.use_trans_sid",true);
session_start();
$_SESSION['cookie_support']=0;
}
if user try to login then check first for $_SESSION['cookie_support'];
try to avoid any sensitive interactions with cookie_support=0
Upvotes: 2
Reputation: 20726
if you enable "use_trans_sid" then the session id is attached to the URL everytime. Iam not sure what happens on an ajax request but i think it will be attached to.
And yes you need trans_sid when the user has cookies disabled, but its kind of insecure (think about someone is looking on your screen and writes down your session id? :-) ).
Upvotes: 1
Related Questions
- PHP - Session ID changing when using session.use_trans_sid
- PHP Session SID URL - url does not have SID
- Transmit Session IDs in URLs (Session trans_sid equivalent Laravel)
- Is it possible to load session by SID in php?
- Checking Client provided Php SID is valid or not?
- What's dangerous about echoing the SID
- Make use_trans_sid work (Append Session ID to URL)
- Sessions without passing SID - is it reliable?
- PHP Sessions and Passing Session ID
- Accessing session data with a session ID