PHP :: Bug #42804 :: session-ID sent to foreign sites

Bug #42804	session-ID sent to foreign sites
Submitted:	2007-09-30 22:05 UTC	Modified:	2007-10-01 10:42 UTC
From:	mpub at meiners-online dot de	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5.2.4	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	mpub at meiners-online dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-09-30 22:05 UTC] mpub at meiners-online dot de

Description:
------------
If I set session.use_trans_sid to 1 and form=xxx is included in url_rewriter.tags, a hidden input field with the session-ID is added to every form. It seems to me that the output handler doesn't care if the action-attribute of the form is an absolute URL as it does when rewriting URLs. So, the session-ID is sent to foreign sites.

Reproduce code:
---------------
ini_set('session.use_trans_sid',    '1');
ini_set('url_rewriter.tags',        'a=href,area=href,frame=src,input=src,form=action,fieldset=');

...

if (strlen(session_id()) < 1)
      session_start();

...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-10-01 10:42 UTC] jani@php.net

That's one more reason NOT to use trans-sid stuff. If you want total control, don't use it. (using cookies is much better anyway..please refer to the manual http://php.net/session for more info)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 17 14:04:04 2025 UTC