Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59199
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67538 invoked from network); 29 Mar 2012 09:14:34 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Mar 2012 09:14:34 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.213.170 mail-yx0-f170.google.com  
Received: from [209.85.213.170] ([209.85.213.170:47699] helo=mail-yx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 4E/11-59498-AF7247F4 for <internals@lists.php.net>; Thu, 29 Mar 2012 04:14:34 -0500
Received: by yenl5 with SMTP id l5so1460247yen.29
        for <internals@lists.php.net>; Thu, 29 Mar 2012 02:14:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:from:date:x-google-sender-auth:message-id
         :subject:to:content-type;
        bh=KuBVaZXAH/mQcySyuDdn1W5/dxh6tMW5MBjQXt3qwzg=;
        b=cNHvmbiFiiSbPdzLINu46m4riaShoPaNgEEgEiG7oWqFM2BXXn9fJYLdgXWX7fLAgU
         /yXZrdObwvFYlHbfohF/SEiwItIqxzKJKpdtbQxOf/VU7r1DTFXPxs8uT5hpZG7iEe6u
         qlT4/qAgxzotBkfHCZ1Kx/vQMryOUPo/t5WoZnwkTv1H9oj9uKeXCgeTLyK/Y/QfNBdY
         gP7ArUXqSJpAOdziZL8kewgEvIHptj0GKQTMSrOq3BOsmDxLo2BM/QEbKEhudHmv2Y6y
         CHTh3624sKS3Z4ZdOpDhi1E7nQ7KD5I/9yFDcKzeoNwbEp73ki9mkqLKG5yZVGQszgSJ
         sp+w==
Received: by 10.236.170.193 with SMTP id p41mr25213796yhl.15.1333012471519;
 Thu, 29 Mar 2012 02:14:31 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.101.112.19 with HTTP; Thu, 29 Mar 2012 02:13:51 -0700 (PDT)
Date: Thu, 29 Mar 2012 18:13:51 +0900
X-Google-Sender-Auth: v8OF6Afxaz_xtEJDvOFn3RqkprU
Message-ID: <CAGa2bXaeWwACOysdkQx4M7Y1DzwCKCH=1v9AWrD4MYCHd5yfYQ@mail.gmail.com>
To: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: session.use_cookies and session.use_only_cookies
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi,

While I was testing strict session, I noticed that there
is a problem in current session module behavior.

From the manual
----
session.use_cookies specifies whether the module will use cookies to
store the session id on the client side. Defaults to 1 (enabled).

session.use_only_cookies specifies whether the module will only use
cookies to store the session id on the client side. Enabling this
setting prevents attacks involved passing session ids in URLs. This
setting was added in PHP 4.3.0. Defaults to 1 (enabled) since PHP
5.3.0.
----

When "session.use_only_cookie=off", "session.use_trans_sid=on"
should be effective.

However, to make "session.use_trans_sid=on" effective, PHP 5.4
(maybe 5.3, too) requires "session.use_cookie=off". This behavior
makes "session.use_only_cookie" setting useless.

Since cookie is mandatory for secure web applications, this behavior
is not good for applications that need both cookie and URL based
session, too.

There are many mobile devices that do not support cookie still, so I
would like to fix this issue.

Is there any comment?

--
Yasuo Ohgaki
yohgaki@ohgaki.net