Jump to content


This topic is now archived and is closed to further replies.


Session security

Recommended Posts

session.use_only_cookies  boolean

    session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0.

does this mean when ever we use sessions we should have this enabled. Even if u don't pass your session id alon with url? I am using php5 is still a problem?

Share this post

Link to post
Share on other sites

Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

Share this post

Link to post
Share on other sites


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.