MFH. Trans SID related changes.

diff --git a/ext/session/session.c b/ext/session/session.c
index 9e0993dbf638926b18d7f9510958fb2925b5b533..3475b67fe9dd8d6f288e9e349ff784dc1e5d56d6 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -154,7 +154,7 @@ PHP_INI_BEGIN()
        STD_PHP_INI_ENTRY("session.entropy_length",             "0",                    PHP_INI_ALL, OnUpdateInt,                       entropy_length,         php_ps_globals, ps_globals)
        STD_PHP_INI_ENTRY("session.cache_limiter",              "nocache",              PHP_INI_ALL, OnUpdateString,            cache_limiter,          php_ps_globals, ps_globals)
        STD_PHP_INI_ENTRY("session.cache_expire",               "180",                  PHP_INI_ALL, OnUpdateInt,                       cache_expire,           php_ps_globals, ps_globals)
-       STD_PHP_INI_ENTRY("session.use_trans_sid",              "1",                    PHP_INI_ALL, OnUpdateBool,                      use_trans_sid,          php_ps_globals, ps_globals)
+       STD_PHP_INI_ENTRY("session.use_trans_sid",              "0",                    PHP_INI_ALL, OnUpdateBool,                      use_trans_sid,          php_ps_globals, ps_globals)
        /* Commented out until future discussion */
        /* PHP_INI_ENTRY("session.encode_sources", "globals,track", PHP_INI_ALL, NULL) */
 PHP_INI_END()

diff --git a/php.ini-dist b/php.ini-dist
index 96d871bacdbe05b6e616fb9b28c3b650a3947e5a..8799ad07381c8c5b271766150463fb92103e4057 100644 (file)
--- a/php.ini-dist
+++ b/php.ini-dist
@@ -746,8 +746,14 @@ session.cache_limiter = nocache
 session.cache_expire = 180
 
 ; trans sid support is disabled by default.
-; Use of trans sid may risk your users security. It may not be
-; feasible to use this option for some sites. Use this option with caution.
+; Use of trans sid may risk your users security. 
+; Use this option with caution.
+; - User may send URL contains active session ID
+;   to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+;   in publically accessible computer.
+; - User may access your site with the same session ID
+;   always using URL stored in browser's history or bookmarks.
 session.use_trans_sid = 0
 
 url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

diff --git a/php.ini-recommended b/php.ini-recommended
index 0d0ca0350c0ed15cb15cd880fbae53d665850ff8..d741790620327e41c7a3a116759d1e920572cd4e 100644 (file)
--- a/php.ini-recommended
+++ b/php.ini-recommended
@@ -753,8 +753,14 @@ session.cache_limiter = nocache
 session.cache_expire = 180
 
 ; trans sid support is disabled by default.
-; Use of trans sid may risk your users security and it may not be
-; feasible to use it for some sites. Use this option with caution.
+; Use of trans sid may risk your users security. 
+; Use this option with caution.
+; - User may send URL contains active session ID
+;   to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+;   in publically accessible computer.
+; - User may access your site with the same session ID
+;   always using URL stored in browser's history or bookmarks.
 session.use_trans_sid = 0
 
 url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"