Summary #

Netsparker detected that the session.use_only_cookies PHP directive is disabled.

Impact #

The session.use_only_cookies PHP directive makes PHP send session IDs exclusively in cookies, as opposed to appending them to the URL. While passing the session ID in the URL may have the perceived security benefit of preventing Cross-site Request Forgery (CSRF) vulnerabilities, it actually leads to dangerous session related vulnerabilities, such as session hijacking and session fixation. Session IDs may end up in log files or can be leaked via the Referer header or by other means. Additionally attackers can trick victims into logging into their own account.

Actions To Take #

You can enable session.use_only_cookies from php.ini or .htaccess.

  • php.ini:
session.use_only_cookies = 'on'
  • .htaccess:
php_flag session.use_only_cookies on
Remediation #

In order to prevent session IDs from being passed in the URL, enable session.use_only_cookies in your php.ini or .htaccess file.

Classifications #
CWE-598; OWASP 2013-A5; OWASP 2017-A6 , CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo