Home/ Questions/Q 6820257
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T21:24:12+00:00

When cookies are disabled, (and sessions are being used) the default .htaccess file allows

  • 0

When cookies are disabled, (and sessions are being used) the default .htaccess file allows php to append a get variable to the end of the url containing the session id to continue using sessions. Obviously this is a major security flaw, but does this mean (I dont have a custom server to test on and most servers have this off) that somebodies session can be accessed from anywhere, as long as the session is open and one has the id?

for example, say we have Joe, and Joe is logged into a site with a session based login system.
she enabled cookies, and her session Id is 1234.

then we have bob, who lives in africa and stalks Joe. he knows her id is 1234, so he goes to
http://www.unsecuresite.com/index.php?PHPSESSID=1234

on an unsecure site, will this allow him access to her account, giving the php script all of her session variables?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes it is unsecure, especially with using the URL parameter as you say.

    The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.

    Assess the importance of the data carried by your sessions and deploy additional protections — this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

    There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site’s referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.

    Source: http://www.php.net/manual/en/session.security.php

    • 0