CHAPTER 11 – Auth Security Tip 1: Disable session.trans_sid

 H P 's s e s s s i o n . trans_sid feature is meant to provide transparent sessions to users without cook- ies enabled. It will rewrite every link on the page to contain the session id as a GET parameter. Combined with Auth, this is the equivalent of putting the username and password in the URL. With trans_sid enabled, there's a big risk of the session id leaking out because it will follow users clicking outgoing links through the HTTP Referer: header. This means that the session id may be logged on any web server to which that the Auth-protected site has links. Some web servers are even so badly misconfigured that you can access their access logs through a browser. Hijacking the session is then just a matter of copying and pasting the URL from the access log.

By disabling trans_sid, you shut out users who do not have cookies installed, but eliminate the risk of session ids leaking out through the Referer header.