PHP session.use_only_cookies Is Disabled
Description
The PHP configuration directive 'session.use_only_cookies' is disabled, allowing session identifiers to be transmitted via URL parameters instead of being restricted to HTTP cookies. When session IDs appear in URLs, they can be exposed through browser history, server logs, referrer headers, and shared links, significantly increasing the risk of session hijacking attacks. Session hijacking allows an attacker to impersonate a legitimate user by obtaining their session identifier, potentially gaining unauthorized access to the user's account and data.
Remediation
Enable the 'session.use_only_cookies' directive to ensure session IDs are only transmitted via HTTP cookies and never through URL parameters. This can be configured at the server level or application level using one of the following methods:
Method 1: php.ini Configuration (Server-wide)
Locate your php.ini file and set:
session.use_only_cookies = 1
Method 2: .htaccess Configuration (Per-directory)
Add the following directive to your .htaccess file:
php_flag session.use_only_cookies on
Method 3: Runtime Configuration (Application-level)
Set the directive before calling session_start() in your PHP code:
ini_set('session.use_only_cookies', 1);
session_start();After making changes, restart your web server and verify the configuration by checking phpinfo() output. Additionally, consider implementing the 'session.cookie_httponly' and 'session.cookie_secure' directives to further protect session cookies from XSS attacks and ensure transmission only over HTTPS.