Description

When use_trans_sid is enabled, PHP will pass the session ID via the URL. This makes the application more vulnerable to session hijacking attacks. Session hijacking is basically a form of identity theft wherein a hacker impersonates a legitimate user by stealing his session ID. When the session token is transmitted in a cookie, and the request is made on a secure channel (that is, it uses SSL), the token is secure.

Remediation

You can disable session.use_trans_sid from php.ini or .htaccess.

php.ini
session.use_trans_sid = 'off'

.htaccess
php_flag session.use_trans_sid off

References

PHP session.use_trans_sid Is Enabled | Invicti

Related Vulnerabilities

Unchecked GraphQL Query Length: Potential Denial of Service Vulnerability

Content Security Policy (CSP) report-uri Uses HTTP

GraphQL Introspection Query Enabled

Apache Geronimo default administrative credentials

Apache solr service exposed

Severity

Medium

Classification

CWE-598 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration