PHP session.use_trans_sid enabled
Description
The PHP configuration directive session.use_trans_sid, when enabled, causes session identifiers to be transmitted through URL parameters instead of secure HTTP cookies. This practice exposes session tokens in browser history, server logs, referrer headers, and shared URLs, significantly increasing the risk of session hijacking attacks. Session hijacking allows attackers to impersonate legitimate users by stealing their session identifiers from these exposed sources.
Remediation
Disable the session.use_trans_sid directive to prevent session IDs from being transmitted in URLs. This can be configured at the server level or application level using one of the following methods:
Method 1: php.ini Configuration (Server-wide)
session.use_trans_sid = 0
Method 2: .htaccess Configuration (Directory-level)
php_flag session.use_trans_sid off
Method 3: Runtime Configuration (Application-level)
<?php
ini_set('session.use_trans_sid', 0);
?>After making changes, restart your web server and verify the configuration using phpinfo(). Additionally, ensure that session cookies are configured with the Secure and HttpOnly flags to further protect session identifiers.