From 699ccceaa4d2a7ca827de759b8f61323b6cf8b99 Mon Sep 17 00:00:00 2001
From: Yasuo Ohgaki <yohgaki@php.net>
Date: Wed, 14 Aug 2002 06:45:23 +0000
Subject: Added trans_sid security risk examples.

---
 php.ini-dist | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'php.ini-dist')

diff --git a/php.ini-dist b/php.ini-dist
index f63bdfe98f..b497e804e9 100644
--- a/php.ini-dist
+++ b/php.ini-dist
@@ -808,8 +808,14 @@ session.cache_limiter = nocache
 session.cache_expire = 180
 
 ; trans sid support is disabled by default.
-; Use of trans sid may risk your users security. It may not be
-; feasible to use this option for some sites. Use this option with caution.
+; Use of trans sid may risk your users security. 
+; Use this option with caution.
+; - User may send URL contains active session ID
+;   to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+;   in publically accessible computer.
+; - User may access your site with the same session ID
+;   always using URL stored in browser's history or bookmarks.
 session.use_trans_sid = 0
 
 url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
-- 
cgit v1.2.1