[ANSWERED] Sessions: ?PHPSESSID= appended to URL
Moderator: General Moderators
- charp
- Forum Commoner
- Posts: 85
- Joined: Sun Oct 26, 2003 3:00 pm
- Location: Rancho Cucamonga, Calif. USA
[ANSWERED] Sessions: ?PHPSESSID= appended to URL
Sessions! They're driving me a bit batty as I try to learn. My question for now is what causes "?PHPSESSID=" followed by about 32 random digits and characters to be appended to the URL of a hyperlink?
I assume the long string of digits and characters is the session_id number, but I've done nothing with PHP to specifically add that information to the address of a link.
Thanks in advance.
I assume the long string of digits and characters is the session_id number, but I've done nothing with PHP to specifically add that information to the address of a link.
Thanks in advance.
Last edited by charp on Wed Apr 21, 2004 7:17 pm, edited 1 time in total.
It is the session id. It does get appended to the URL because (from the manual)
trans_sid is set to onsession.use_trans_sid boolean
session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).
Note: For PHP 4.1.2 or less, it is enabled by compiling with --enable-trans-sid. From PHP 4.2.0, trans-sid feature is always compiled.
URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.
So I've got a few questions about this. First of all, trans_sid is set to '0' on our server, which if I understand the incredibly brief documentation, should mean that I can expect session IDs to crop up every now and then in URLs, in the form of a GET variable. Well, they do. But only in Internet Explorer. In FireFox, Mozilla, presumably Safari, they do not.
The documentation indicates that turning trans_sid on is a potential security risk because it could allow open sessions to be intercepted. But isn't that completely backwards? It seems to me that they could be intercepted if they're in the URL like they are now, not if they're handled transparently (which I assume trans_ stands for).
So tell me: do I have something horribly backwards in my thinking? Or is there something bizarro with my server config?
The documentation indicates that turning trans_sid on is a potential security risk because it could allow open sessions to be intercepted. But isn't that completely backwards? It seems to me that they could be intercepted if they're in the URL like they are now, not if they're handled transparently (which I assume trans_ stands for).
So tell me: do I have something horribly backwards in my thinking? Or is there something bizarro with my server config?
Yes, IE accepts cookies.
No changes have been made to Apache, but in any case it has been restarted. Pages in the browser are current.
php.ini has these entries:
session.use_cookies = 1
; session.use_only_cookies = 1 (commented out)
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_expire = 180
session.use_trans_sid = 0
I did not originally set up this file, so I assume these are basically the defaults.
No changes have been made to Apache, but in any case it has been restarted. Pages in the browser are current.
php.ini has these entries:
session.use_cookies = 1
; session.use_only_cookies = 1 (commented out)
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_expire = 180
session.use_trans_sid = 0
I did not originally set up this file, so I assume these are basically the defaults.