Yii session cookieMode


There 3 allowed values for cookieMode for YII sessions.

  1. none

  2. allow

  3. only

From a security perspective which value is the best and why?

Thanking you,



You shouldn’t be using transparent SIDs unless there is a good reason, PHP Security Guide: Sessions.

Basically anything but ‘only’ allows Session ID’s in URLs, this is exploitable, since an attacker can send a user to your site with a Session ID and then reuse that same Session ID to steal personal information.