I've been reading into some articles about PHP security, and I came across this article:
http://shiflett.org/articles/session-fixation
This article describes that one can easily fixate a session by passing the PHPSESSID variable in a url request (for example ?PHPSESSID=1234). However, it is my understanding (and please correct me if I am wrong) that PHP treats $_GET, $_SESSION and $GLOBALS as different types of variables when register_globals is set to off in php.ini, and therefor using ?PHPSESSID=1234 in a url request should not produce this problem.
I have tested the following script:
session_start();
if (!isset($_SESSION['count']))
{
$_SESSION['count'] = 0;
}
else
{
$_SESSION['count']++;
}
echo $_SESSION['count'];
But I can't seem to reproduce the fixation of sessions on my server, and I assumed it is because I have register_globals set to off in my php.ini.
Am I wrong about this?
It seems important to know for sure.
There is a separate php config option, I think
session.use_trans_sid, that allows the session to be passed via url regardless of register_global setting.