I've been reading into some articles about PHP security, and I came across this article:
http://shiflett.org/articles/session-fixation
This article describes that one can easily fixate a session by passing the PHPSESSID variable in a url request (for example ?PHPSESSID=1234
). However, it is my understanding (and please correct me if I am wrong) that PHP treats $_GET
, $_SESSION
and $GLOBALS
as different types of variables when register_globals
is set to off
in php.ini, and therefor using ?PHPSESSID=1234
in a url request should not produce this problem.
I have tested the following script:
session_start();
if (!isset($_SESSION['count']))
{
$_SESSION['count'] = 0;
}
else
{
$_SESSION['count']++;
}
echo $_SESSION['count'];
But I can't seem to reproduce the fixation of sessions on my server, and I assumed it is because I have register_globals
set to off
in my php.ini.
Am I wrong about this?
It seems important to know for sure.
There is a separate php config option, I think session.use_trans_sid
, that allows the session to be passed via url regardless of register_global setting.