PHPSESSID appended 1

[RobBroekhuis]

I have a user forum that uses sessions to keep track of members moving about after signing in. All works well. Just today I noticed in my access logs that two requests to a particular page had the PHPSESSID=... appended to the query string. All other requests went through without the GET string, so the user wasn't having trouble with cookies as far as I can tell. Any idea why just these requests generated the querystring? By the way, the requests ORIGINATED on different pages, which puzzles me even more.


Rob

 

[sleipnir214]

What is the setting of session.use_trans_sid on your PHP installation?

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[RobBroekhuis]

use_cookies is on, use_trans_sid is 1.


Rob

 

[sleipnir214]

To be honest, I'm not really sure how PHP decides when to append the SID and when not to.

But you might look at your setting url_rewriter.tags, which tells PHP which HTML tags to append SIDs to. Maybe those two pages are using tags that none of the other pages do.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[RobBroekhuis]

I can't be completely sure of the path that was followed through my site. At least one time it was upon first entering the site at my index.php. The first thing index.php does is start a session, but upon entry, the session does not yet exist. The link resulting in the PHPSESSID appendage was of course written after the session was started, but perhaps before a cookie was set up? I can reproduce this one myself. The other one, seemingly occurring in the middle of a session, is more puzzling.


Rob

 

[sleipnir214]

You might just turn off use_trans_sid and be done with it. There are security risks to having the session ID in the URL.

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[RobBroekhuis]

I'm running on a shared server - can I turn the setting off for my own scripts? So far, I've been making do with the server settings (including some non-default values, such as register_globals)


Rob

 

[sleipnir214]

According to the manual, session.use_trans_sid can be changed in php.ini, httpd.conf, or in a .htaccess file.

If you're running PHP on Apache, you should be able to create a .htaccess file which reads:

php_value session.use_trans_sid off

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[RobBroekhuis]

Youch! I put that line in my .htaccess, and all further requests to my website resulted in 500 errors! What did I do wrong?


Rob

 

[sleipnir214]

Sorry, my mistake. session.use_trans_sid takes a boolean setting.

Try in .httaccess:

php_[red]flag[/red] session.use_trans_sid off


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[RobBroekhuis]

I tried that, and still the 500 error. I'm putting this into the .htaccess in my docroot directory - is that where it should go?



Rob

 

[sleipnir214]

Yes, that's where it should go.

In order for PHP settings to work in .htaccess files, the Apache "AllowOverride" setting for your directory must be either "All" or "Options". If "Allowoverride" is set to "none", Apache will ignore .htaccess files.

I think that your server's admin has set "AllowOverride" to something like "AuthConfig" or "Limit" for your directory. In such case, php_flag or php_value is not a legal directive in a .htaccess file.

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[RobBroekhuis]

My .htaccess at this point only contains an ErrorDocument entry (which works fine). Is that consistent with your evaluation above? If so, is there a different way to change PHP settings that can't be set using ini_set()?
If not, I can easily live with my current situation ;-)


Rob

 

[sleipnir214]

It depends on the setting.

This particular directive is defined to be changeable as "PHP_INI_SYSTEM | PHP_INI_PERDIR", which according to this page in the PHP online manual means it can only be changed in php.ini, httpd.conf, and .htaccess files.

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[RobBroekhuis]

Thanks for all your answers. I'll live with my server-bound lot...


Rob