PHP's session.use_trans_sid automatically appends the user's session id to urls when cookies are disabled. On the face of it, this
seems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked
by anyone who might:
For that reason, it's better to practice a little "tough love" with your users and force them to turn on cookies.
Since session.use_trans_sid is off by default, this rule raises an issue when it is explicitly enabled.
; php.ini session.use_trans_sid=1 ; Noncompliant