[Mediawiki-l] PHPSESSID in MediaWiki

Brion Vibber brion at pobox.com
Wed Feb 9 03:16:42 UTC 2005


sarath wrote:
> The PHPSESSID is displayed in my MediaWiki site. How secure is it to
> have PHPSESSID displayed? If it can be disabled what is the best way to
> do it? Thanks

This is a PHP sessions option; I'd recommend turning it off, as session
IDs could be taken from the referer information passed by the browser
when the user clicks on an external link.

I believe the option to turn off is session.use_trans_sid. You can do
this in php.ini, possibly in an .htaccess, or with the ini_set()
function in your LocalSettings.php.

http://www.php.net/session
http://www.php.net/ini_set

-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20050208/3b398848/attachment.pgp 


More information about the MediaWiki-l mailing list