DerScanner
Home / Vulnerability Database / PHP : Session ID in URL
PHP

PHP : Session ID in URL

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session Management
OWASP Top 10 2017
A2-Broken Authentication
OWASP Top 10 2021
A7-Identification and Authentication Failures
OWASP ASVS
Session Management
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (e)(1)
CWE
CWE-1028

Overview

The application enables PHP to include the session identifier into the URL. This can lead to session hijacking and session fixation.

Enabled option session.use_trans_sid allows to transmit the session identifier as part of the URL. An attacker can hijack the session or trick the user to use the prepared session that is under the control of the attacker.

The URL parameters are more visible than the parameters of a POST-request and cookie values as they can be stored in the browser history, bookmarks, log files, and other widely available repositories. If an attacker finds out the secret session identifier, he/she will be able to hijack the user’s session.

Besides that, the disclosure of the session ID in the URL leads to an attack such as “session fixation”. Sample attack: an attacker creates a new session, stores its ID and tricks the victim into passing authentication with this session identifier.

References

  1. CWE-384: Session Fixation
  2. OWASP Top 10 2017 A2-Broken Authentication
  3. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
CRITICAL

DerScanner Severity Score

Do you want to fix PHP : Session ID in URL in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt