php session.use_cookies and session fixation attacks

Question

I had a look at this post, but I do not understand if using this code
I'm vulnerable to session fixation attacks:

myPage.php

<?php

ini_set("session.use_cookies",0);
ini_set("session.use_only_cookies",0);
ini_set("session.use_trans_sid",1);

session_start();

$_SESSION['myName'] = "myNameIsOk";

if($_SESSION['myName'] === "myNameIsOk" ){
    print_r($_SESSION);
    print_r($_COOKIE);
}

?>

I'm using only this code as it is, and I'm not using URL parameters or any other stuff, so
is this code vulnerable to php session fixation attacks? If yes, how? I'm not a php expert..
Can you post an example of the attack?

Answer 1

The session fixation attack can append when you use url to pass an ID, for example :

http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID

If an other person visit this link, he can have an access to an other people account.

To avoid this you must do not accept session identifiers from GET / POST variables.

Don't use :

ini_set("session.use_trans_sid",1);

But :

ini_set("session.use_trans_sid",0);

It disable the transparent SID support.

URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.

You can read more about session fixation here :

http://en.wikipedia.org/wiki/Session_fixation