PHP session.use_trans_sid Session Hijacking

OWASP 2013-A2 OWASP 2017-A2 WASC-15 CWE-472 CAPEC-594 WSTG-SESS-09

There are many web applications that have set use_trans_sid as enabled. An enabled use_trans_sid will allow the PHP to pass session ID through the URL. This passing technique is a medium risk vulnerability in the cyber world as this vulnerability makes the web application more prone to session hijacking attacks. Session hijacking is a form of identity theft attack. Here, an attacker impersonates himself as another user so as to steal the victim’s session ID. If session,use_trans_sid is enabled, an attacker can easily sniff cookie data from the coomunication as this setting allows cookie transfer using URL.

Example

The below code is an example:-

		session.use_trans_sid = 'on'

	

Impact

Using this vulnerability, an attacker can:-

  • perform session hijacking attack
  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application

Mitigation / Precaution

The vulnerability can be fixed by:-

  • Disabling session.use_trans_sid from php.ini or .htaccess.
    • php.ini
		session.use_trans_sid = 'off'

	
* .htaccess
		php_flag session.use_trans_sid off

	

Latest Articles