All
The PHPSESSID is displayed in my MediaWiki site. How secure is it to have PHPSESSID displayed? If it can be disabled what is the best way to do it? Thanks
sarath
sarath wrote:
The PHPSESSID is displayed in my MediaWiki site. How secure is it to have PHPSESSID displayed? If it can be disabled what is the best way to do it? Thanks
This is a PHP sessions option; I'd recommend turning it off, as session IDs could be taken from the referer information passed by the browser when the user clicks on an external link.
I believe the option to turn off is session.use_trans_sid. You can do this in php.ini, possibly in an .htaccess, or with the ini_set() function in your LocalSettings.php.
http://www.php.net/session http://www.php.net/ini_set
-- brion vibber (brion @ pobox.com)
mediawiki-l@lists.wikimedia.org