PHP session.use_trans_sid Session Hijacking

Rejah Rehim
Published on
02 May 2022
1 min read

There are many web applications that have set use_trans_sid as enabled. An enabled use_trans_sid will allow the PHP to pass session ID through the URL. This passing technique is a medium risk vulnerability in the cyber world as this vulnerability makes the web application more prone to session hijacking attacks. Session hijacking is a form of identity theft attack. Here, an attacker impersonates himself as another user so as to steal the victim’s session ID. If session,use_trans_sid is enabled, an attacker can easily sniff cookie data from the coomunication as this setting allows cookie transfer using URL.


The below code is an example:-

		session.use_trans_sid = 'on'



Using this vulnerability, an attacker can:-

  • perform session hijacking attack
  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application

Mitigation / Precaution

The vulnerability can be fixed by:-

  • Disabling session.use_trans_sid from php.ini or .htaccess.
    • php.ini
		session.use_trans_sid = 'off'

* .htaccess
		php_flag session.use_trans_sid off

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment