php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #42804 session-ID sent to foreign sites
Submitted: 2007-09-30 22:05 UTC Modified: 2007-10-01 10:42 UTC
From: mpub at meiners-online dot de Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.2.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mpub at meiners-online dot de
New email:
PHP Version: OS:

 

 [2007-09-30 22:05 UTC] mpub at meiners-online dot de 
Description:
------------
If I set session.use_trans_sid to 1 and form=xxx is included in url_rewriter.tags, a hidden input field with the session-ID is added to every form. It seems to me that the output handler doesn't care if the action-attribute of the form is an absolute URL as it does when rewriting URLs. So, the session-ID is sent to foreign sites.

Reproduce code:
---------------
ini_set('session.use_trans_sid',    '1');
ini_set('url_rewriter.tags',        'a=href,area=href,frame=src,input=src,form=action,fieldset=');

...

if (strlen(session_id()) < 1)
      session_start();

...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-01 10:42 UTC] jani@php.net 
That's one more reason NOT to use trans-sid stuff. If you want total control, don't use it. (using cookies is much better anyway..please refer to the manual http://php.net/session for more info)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 17 14:04:04 2025 UTC