Security bugs

[Davi Leal]

Steal session cookie
====================

We are using the PHPSESSID cookie to manage the user sessions, but some of our 
pages does not use SSL.

  "There are several ways to leak an existing session id
   to third parties. ... The solution here is to implement
   SSL on your server and make it mandatory for users."

  Reference: http://php.net/manual/en/ref.session.php


So, we have to use SSL on all pages to avoid that security issue. It is easy. 
I will realize the needed modifications at  Layer-0__Site_entry_point/*.php

  Pros:
    Avoid this specific security issue.

  Cons:
    More bytes to transfer. However, the webapp have to be secure.



Additional measures
===================

  session.use_only_cookies = 1 (Not activated yet)
        Enabling this setting prevents attacks involved
        passing session ids in URLs.

  session.cookie_lifetime = 0  (Now, it is = 0. It is right? )

  session.cookie_secure = 1    (Now, not used!)
        Specifies whether cookies should only be sent
        over secure connections.

  session.cookie_httponly = 1  (Now disabled)
        This means that the cookie won't be accessible by
        scripting languages, such as JavaScript. This setting
        can effectively help to reduce identity theft through
        XSS attacks.

Additional:
  session.bug_compat_42 = 1    (Already activated)
  session.bug_compat_warn = 1  (Already activated)



Therefore, I propose update the current production environment, and update the 
file http://www.gnuherds.org/doc/conf/php.ini

Let me know if you disagree and any additional comment,
Davi