Description

Detects insecure PHP session configuration settings that could enable session fixation attacks. When session.use_only_cookies is disabled or set to an insecure value, attackers may be able to steal or hijack user sessions through URL-based session IDs.

Detection Strategy

• Scans php.ini configuration files for session settings

• Checks if 'session.use_only_cookies' directive exists in the [Session] section

• Reports a vulnerability if the directive is set to insecure values like '0', 'off', 'false', or 'no'

• Identifies the exact line number where the insecure configuration appears in the file

Vulnerable code example

; php.ini example file for testing session configuration
[PHP]
file_uploads = On
upload_max_filesize = 2M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60...

✅ Secure code example

; php.ini example file for testing session configuration
[PHP]
file_uploads = On
upload_max_filesize = 2M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60...