Php Htaccess Insecure Session Configuration

Description

Detects insecure PHP session configurations in .htaccess files where session.use_only_cookies is disabled. This configuration allows attackers to pass session IDs via URLs, making the application vulnerable to session fixation and hijacking attacks.

Weakness:

276 - Sensitive information sent via URL parameters - Session

Category: Information Collection

Detection Strategy

• Check for uncommented lines in .htaccess files starting with 'php_flag'

• Look for 'session.use_only_cookies' directive

• Report if directive is set to insecure values like 'off', '0', or 'false'

Vulnerable code example

# Apache .htaccess configuration
# Sets PHP session security options

# VULNERABLE: Allows attackers to pass session IDs via URL/POST (enables session fixation)
php_flag session.use_only_cookies Off

# Other session settings
php_flag session.cookie_httponly On

✅ Secure code example

# Apache .htaccess configuration
# Sets PHP session security options

# SECURE: Forces PHP to only accept session IDs from cookies, preventing session fixation
php_flag session.use_only_cookies On

# Additional security: Makes session cookie inaccessible to JavaScript
php_flag session.cookie_httponly On

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.