Why is the 'session.use_trans_sid' directive dangerous? [XOOPS general usage questions]

Why is the 'session.use_trans_sid' directive dangerous?

2008/6/24 8:18
tedsmith
Home away from home
Posts: 1151
Since: 2004/6/2 1

Can anyone tell me why 'session.use_trans_sid' is dangerous or give me a URL that explains it well?

Thanks

Ted

Re: Why is the 'session.use_trans_sid' directive dangerous?

2008/6/24 8:54
wizanda
Home away from home
Posts: 1585
Since: 2004/3/21

Quote:

Most people tend to forget that the PHPSESSID are dangerous to use straight
in the queries, because it comes from a cookie (or URL), and thus from the
client, and thus can not be trusted (SQL-injection).

It also looks awful, having every link with their session posted into the url...
.htaccess


php_flag session.use_trans_sid off

Oneness - True Faith

Re: Why is the 'session.use_trans_sid' directive dangerous?

2008/6/24 15:06
tedsmith
Home away from home
Posts: 1151
Since: 2004/6/2 1

I need some more detail really. Any URLs to point to that anyone knows of?

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Why is the 'session.use_trans_sid' directive dangerous?

Re: Why is the 'session.use_trans_sid' directive dangerous?

Re: Why is the 'session.use_trans_sid' directive dangerous?

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}