When snacks are disabled, (and periods are used) the default .htaccess file enables php to append a get variable towards the finish from the url that contains the session id to carry on using periods. Clearly this can be a major security flaw, but performs this mean (I do not have a custom server to check on and many servers have this off) that somebodies session could be utilized everywhere, as lengthy because the session is open and something has got the id?
for instance, say we've Joe, and Joe is drenched right into a site having a session based login system. she enabled snacks, and her session Id is 1234.
only then do we have bob, who lives in africa and stalks Joe. they know her id is 1234, so he would go to www.unsecuresite.com/index.php?PHPSESSID=1234
with an unsecure site, will this enable him with use of her account, giving the php script all her session variables?
Yes it's unsecure, particularly with while using URL parameter while you say.
The session module cannot guarantee the information you store inside a session is just seen through the user who produced the session. You have to take additional measures to positively safeguard the integrity from the session, with respect to the value connected by using it.
Assess the significance of the information transported because of your periods and deploy additional protections -- this usually comes in a cost, reduced convenience for that user. For instance, if you wish to safeguard customers from simple social engineering tactics, you have to enable session.use_only_snacks. For the reason that situation, snacks should be enabled without any reason around the user side, or periods won't work.
You will find a number of ways to leak a current session id to 3rd parties. A leaked session id allows the 3rd party to gain access to all assets that are connected having a specific id. First, Web addresses transporting session ids. Should you connect to an exterior site, the URL such as the session id may be saved within the exterior site's referrer logs. Second, a far more active attacker might pay attention to your network traffic. If it's not encoded, session ids will flow in plain text within the network. The answer here's to implement SSL in your server making it mandatory for customers.