phpsession-fixationregister-globals

session fixation, still an issue with register_globals off?


I've been reading into some articles about PHP security, and I came across this article:
http://shiflett.org/articles/session-fixation

This article describes that one can easily fixate a session by passing the PHPSESSID variable in a url request (for example ?PHPSESSID=1234). However, it is my understanding (and please correct me if I am wrong) that PHP treats $_GET, $_SESSION and $GLOBALS as different types of variables when register_globals is set to off in php.ini, and therefor using ?PHPSESSID=1234 in a url request should not produce this problem.

I have tested the following script:

session_start(); 

if (!isset($_SESSION['count'])) 
{ 
   $_SESSION['count'] = 0; 
} 
else 
{ 
   $_SESSION['count']++; 
} 

echo $_SESSION['count'];

But I can't seem to reproduce the fixation of sessions on my server, and I assumed it is because I have register_globals set to off in my php.ini.
Am I wrong about this?
It seems important to know for sure.


Solution

  • There is a separate php config option, I think session.use_trans_sid, that allows the session to be passed via url regardless of register_global setting.