This option enables administrators to make their users invulnerable to

attacks which involve passing session ids in URLs.

diff --git a/ext/session/php_session.h b/ext/session/php_session.h
index c458b11b563350ff61a24edd7db204f0f6d47922..01d8fc4d6daba6d07ed94bfbeece89a9f4f696c3 100644 (file)
--- a/ext/session/php_session.h
+++ b/ext/session/php_session.h
@@ -113,6 +113,7 @@ typedef struct _php_ps_globals {
        zval *http_session_vars;
        zend_bool auto_start;
        zend_bool use_cookies;
+       zend_bool use_only_cookies;
        zend_bool use_trans_sid;        /* contains the INI value of whether to use trans-sid */
        zend_bool apply_trans_sid;      /* whether or not to enable trans-sid for the current request */
 } php_ps_globals;

diff --git a/ext/session/session.c b/ext/session/session.c
index 849725a4c4834663e298ad652f4fbcf09dcc0efa..7e3ea9befe3ae2f850312d641fec39e3f3e4343e 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -131,6 +131,7 @@ PHP_INI_BEGIN()
        STD_PHP_INI_ENTRY("session.cookie_domain",              "",                             PHP_INI_ALL, OnUpdateString,            cookie_domain,          php_ps_globals, ps_globals)
        STD_PHP_INI_BOOLEAN("session.cookie_secure",            "",                             PHP_INI_ALL, OnUpdateBool,              cookie_secure,          php_ps_globals, ps_globals)
        STD_PHP_INI_BOOLEAN("session.use_cookies",              "1",                    PHP_INI_ALL, OnUpdateBool,                      use_cookies,            php_ps_globals, ps_globals)
+       STD_PHP_INI_BOOLEAN("session.use_only_cookies",         "0",            PHP_INI_ALL, OnUpdateBool,                      use_only_cookies,       php_ps_globals, ps_globals)
        STD_PHP_INI_ENTRY("session.referer_check",              "",                             PHP_INI_ALL, OnUpdateString,            extern_referer_chk,     php_ps_globals, ps_globals)
        STD_PHP_INI_ENTRY("session.entropy_file",               "",                             PHP_INI_ALL, OnUpdateString,            entropy_file,           php_ps_globals, ps_globals)
        STD_PHP_INI_ENTRY("session.entropy_length",             "0",                    PHP_INI_ALL, OnUpdateInt,                       entropy_length,         php_ps_globals, ps_globals)
@@ -839,7 +840,7 @@ PHPAPI void php_session_start(TSRMLS_D)
                        define_sid = 0;
                }
 
-               if (!PS(id) &&
+               if (!PS(use_only_cookies) && !PS(id) &&
                                zend_hash_find(&EG(symbol_table), "_GET",
                                        sizeof("_GET"), (void **) &data) == SUCCESS &&
                                Z_TYPE_PP(data) == IS_ARRAY &&
@@ -849,7 +850,7 @@ PHPAPI void php_session_start(TSRMLS_D)
                        send_cookie = 0;
                }
 
-               if (!PS(id) &&
+               if (!PS(use_only_cookies) && !PS(id) &&
                                zend_hash_find(&EG(symbol_table), "_POST",
                                        sizeof("_POST"), (void **) &data) == SUCCESS &&
                                Z_TYPE_PP(data) == IS_ARRAY &&
@@ -864,7 +865,7 @@ PHPAPI void php_session_start(TSRMLS_D)
           '<session-name>=<session-id>' to allow URLs of the form
        http://yoursite/<session-name>=<session-id>/script.php */
 
-       if (!PS(id) &&
+       if (!PS(use_only_cookies) && !PS(id) &&
                        zend_hash_find(&EG(symbol_table), "REQUEST_URI",
                                sizeof("REQUEST_URI"), (void **) &data) == SUCCESS &&
                        Z_TYPE_PP(data) == IS_STRING &&