PHP session tokens are normally transmitted through HTTP cookies. However, for clients that do not support cookies and when the PHP
session.use_trans_sid setting is enabled, those tokens can be transmitted as URL parameters.
GET URL parameter can be disclosed in a variety of ways:
Attackers with access to any of those disclosure locations will be able to see and steal a victim’s session token. They can then use it to log in as the user, impersonate their account, and take advantage of their privileges.
Such an attack can be more or less severe depending on the victim’s privileges. Common security impacts range from data theft to application takeover.
Attackers with access to a compromised account will be able to disclose any information stored on it. This includes the Personally Identifiable Information (PII) of the user.
The confidentiality of PII is a requirement from national security regulatory authorities in most countries. Insufficiently protecting this data could have legal consequences and lead to fines or other prosecutions.
Attackers compromise the account of a high-privileged user could modify internal web application logic, disrupt workflows, or change other application’s settings in a way that will give them full control over it.
Such an attack would lead to reputational damages and financial and legal consequences.
; php.ini session.use_trans_sid=1 ; Noncompliant
; php.ini session.use_trans_sid=0
The compliant code example disables the session.use_trans_sid setting.
Note that this parameter is off by default.