On one of my sites, I have ini_set('session.use_trans_sid', 1) set which allows users with no Cookies to use the site. It does this be keeping track of the Session via the URL.

However, I’m experiencing a serious security issue that is allowing Sessions to be easily hijacked.

Basically, Google is indexing pages with the Session ID it was given at the time of its Crawl since the Googlebot does not use Cookies.

Then, when someone searches for my site and then clicks the search result in Google that includes the old Session URL, that old Session ID now becomes their Session ID (rather than a new one being generated).

So then when that user logs in, their account is logged in using the Session ID indexed all over Google! That means any other users searching for our site and clicking one of the search results in Google gets automatically logged in to that other users account!

Talk about a massive security hole!

How can I fix this? I would have thought that PHP would recognize that a Session ID is no longer valid (or no longer exists) and then generate a new one, but it doesn’t seem to be doing that. It seems like if it did do that, it would fix this issue.

Please help!

EDIT:

What is essentially happening here is that PHP is allowing anyone to create their own custom Session ID by simply entering whatever they want for the Session ID parameter in their URL, and PHP will start using that as their Session ID. I can literally make the Session ID = “securityflaw” in the URL and it will literally use that as the Session ID even after logging in! So when someone clicks a link on Google with the Googlebot’s old Session ID, PHP is making the users “custom” Session ID be that. Surely something is amiss!