DerScanner
Home / Vulnerability Database / PHP : Session strict mode disabled
PHP

PHP : Session strict mode disabled

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session Management
OWASP Top 10 2017
A2-Broken Authentication
OWASP Top 10 2021
A7-Identification and Authentication Failures
OWASP ASVS
Session ManagementSession ManagementSession ManagementSession Management
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (e)(1)
CWE
CWE-1028

Overview

Option session.use_strict_mode is disabled.

Enabled session.use_strict_mode does not allow the session module to use uninitialized session IDs.

Because of cookie spec, an attacker can set undeletable session ID cookies by using JavaScript injections or through the local database of the cookies. session.use_strict_mode can prevent attacker initialized session ID being used.

References

  1. Securing Session INI Settings - php.net
  2. OWASP Top 10 2017 A2-Broken Authentication
  3. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
MEDIUM

DerScanner Severity Score

Do you want to fix PHP : Session strict mode disabled in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt