Hi,
There 3 allowed values for cookieMode for YII sessions.
-
none
-
allow
-
only
From a security perspective which value is the best and why?
Thanking you,
Chamal.
Hi,
There 3 allowed values for cookieMode for YII sessions.
none
allow
only
From a security perspective which value is the best and why?
Thanking you,
Chamal.
‘only’.
You shouldn’t be using transparent SIDs unless there is a good reason, PHP Security Guide: Sessions.
Basically anything but ‘only’ allows Session ID’s in URLs, this is exploitable, since an attacker can send a user to your site with a Session ID and then reuse that same Session ID to steal personal information.