From dcf67c4433bfe4177595be7c5ae68ae4c308e835 Mon Sep 17 00:00:00 2001
From: Sascha Schumann <sas@php.net>
Date: Wed, 12 Jun 2002 08:18:36 +0000
Subject: [PATCH] This option enables administrators to make their users
 invulnerable to attacks which involve passing session ids in URLs.

---
 ext/session/php_session.h | 1 +
 ext/session/session.c     | 7 ++++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ext/session/php_session.h b/ext/session/php_session.h
index c458b11b56..01d8fc4d6d 100644
--- a/ext/session/php_session.h
+++ b/ext/session/php_session.h
@@ -113,6 +113,7 @@ typedef struct _php_ps_globals {
 	zval *http_session_vars;
 	zend_bool auto_start;
 	zend_bool use_cookies;
+	zend_bool use_only_cookies;
 	zend_bool use_trans_sid;	/* contains the INI value of whether to use trans-sid */
 	zend_bool apply_trans_sid;	/* whether or not to enable trans-sid for the current request */
 } php_ps_globals;
diff --git a/ext/session/session.c b/ext/session/session.c
index 849725a4c4..7e3ea9befe 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -131,6 +131,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("session.cookie_domain",		"",				PHP_INI_ALL, OnUpdateString,		cookie_domain,		php_ps_globals,	ps_globals)
 	STD_PHP_INI_BOOLEAN("session.cookie_secure",		"",				PHP_INI_ALL, OnUpdateBool,		cookie_secure,		php_ps_globals,	ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_cookies",		"1",			PHP_INI_ALL, OnUpdateBool,			use_cookies,		php_ps_globals,	ps_globals)
+	STD_PHP_INI_BOOLEAN("session.use_only_cookies",		"0",		PHP_INI_ALL, OnUpdateBool,			use_only_cookies,	php_ps_globals,	ps_globals)
 	STD_PHP_INI_ENTRY("session.referer_check",		"",				PHP_INI_ALL, OnUpdateString,		extern_referer_chk,	php_ps_globals,	ps_globals)
 	STD_PHP_INI_ENTRY("session.entropy_file",		"",				PHP_INI_ALL, OnUpdateString,		entropy_file,		php_ps_globals,	ps_globals)
 	STD_PHP_INI_ENTRY("session.entropy_length",		"0",			PHP_INI_ALL, OnUpdateInt,			entropy_length,		php_ps_globals,	ps_globals)
@@ -839,7 +840,7 @@ PHPAPI void php_session_start(TSRMLS_D)
 			define_sid = 0;
 		}
 
-		if (!PS(id) &&
+		if (!PS(use_only_cookies) && !PS(id) &&
 				zend_hash_find(&EG(symbol_table), "_GET",
 					sizeof("_GET"), (void **) &data) == SUCCESS &&
 				Z_TYPE_PP(data) == IS_ARRAY &&
@@ -849,7 +850,7 @@ PHPAPI void php_session_start(TSRMLS_D)
 			send_cookie = 0;
 		}
 
-		if (!PS(id) &&
+		if (!PS(use_only_cookies) && !PS(id) &&
 				zend_hash_find(&EG(symbol_table), "_POST",
 					sizeof("_POST"), (void **) &data) == SUCCESS &&
 				Z_TYPE_PP(data) == IS_ARRAY &&
@@ -864,7 +865,7 @@ PHPAPI void php_session_start(TSRMLS_D)
 	   '<session-name>=<session-id>' to allow URLs of the form
        http://yoursite/<session-name>=<session-id>/script.php */
 
-	if (!PS(id) &&
+	if (!PS(use_only_cookies) && !PS(id) &&
 			zend_hash_find(&EG(symbol_table), "REQUEST_URI",
 				sizeof("REQUEST_URI"), (void **) &data) == SUCCESS &&
 			Z_TYPE_PP(data) == IS_STRING &&
-- 
2.40.0