From: Yasuo Ohgaki <yohgaki@php.net>
Date: Wed, 14 Aug 2002 06:45:23 +0000 (+0000)
Subject: Added trans_sid security risk examples.
X-Git-Tag: php-4.3.0dev_zend2_alpha3~72
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=699ccceaa4d2a7ca827de759b8f61323b6cf8b99;p=php

Added trans_sid security risk examples.
---

diff --git a/php.ini-dist b/php.ini-dist
index f63bdfe98f..b497e804e9 100644
--- a/php.ini-dist
+++ b/php.ini-dist
@@ -808,8 +808,14 @@ session.cache_limiter = nocache
 session.cache_expire = 180
 
 ; trans sid support is disabled by default.
-; Use of trans sid may risk your users security. It may not be
-; feasible to use this option for some sites. Use this option with caution.
+; Use of trans sid may risk your users security. 
+; Use this option with caution.
+; - User may send URL contains active session ID
+;   to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+;   in publically accessible computer.
+; - User may access your site with the same session ID
+;   always using URL stored in browser's history or bookmarks.
 session.use_trans_sid = 0
 
 url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
diff --git a/php.ini-recommended b/php.ini-recommended
index 2c26e27fee..c157e039b6 100644
--- a/php.ini-recommended
+++ b/php.ini-recommended
@@ -824,8 +824,14 @@ session.cache_limiter = nocache
 session.cache_expire = 180
 
 ; trans sid support is disabled by default.
-; Use of trans sid may risk your users security. It may not be
-; feasible to use this option for some sites. Use this option with caution.
+; Use of trans sid may risk your users security.
+; Use this option with caution.
+; - User may send URL contains active session ID
+;   to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+;   in publically accessible computer. 
+; - User may access your site with the same session ID
+;   always using URL stored in browser's history or bookmarks.
 session.use_trans_sid = 0
 
 url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"