Added trans_sid security risk examples.

diff --git a/php.ini-dist b/php.ini-dist
index f63bdfe98f4293f5011c2d8bc21eee7fc00a9126..b497e804e9c4d7620e9a0883e717895b18fac7a7 100644 (file)
--- a/php.ini-dist
+++ b/php.ini-dist
@@ -808,8 +808,14 @@ session.cache_limiter = nocache
 session.cache_expire = 180
 
 ; trans sid support is disabled by default.
-; Use of trans sid may risk your users security. It may not be
-; feasible to use this option for some sites. Use this option with caution.
+; Use of trans sid may risk your users security. 
+; Use this option with caution.
+; - User may send URL contains active session ID
+;   to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+;   in publically accessible computer.
+; - User may access your site with the same session ID
+;   always using URL stored in browser's history or bookmarks.
 session.use_trans_sid = 0
 
 url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

diff --git a/php.ini-recommended b/php.ini-recommended
index 2c26e27feedb15a714ca3d77f643bffac6a54ae7..c157e039b6ac51ee859530f09ed0b4127db3fa36 100644 (file)
--- a/php.ini-recommended
+++ b/php.ini-recommended
@@ -824,8 +824,14 @@ session.cache_limiter = nocache
 session.cache_expire = 180
 
 ; trans sid support is disabled by default.
-; Use of trans sid may risk your users security. It may not be
-; feasible to use this option for some sites. Use this option with caution.
+; Use of trans sid may risk your users security.
+; Use this option with caution.
+; - User may send URL contains active session ID
+;   to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+;   in publically accessible computer. 
+; - User may access your site with the same session ID
+;   always using URL stored in browser's history or bookmarks.
 session.use_trans_sid = 0
 
 url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"