[ANSWERED] Sessions: ?PHPSESSID= appended to URL

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
charp
Forum Commoner
Posts: 85
Joined: Sun Oct 26, 2003 3:00 pm
Location: Rancho Cucamonga, Calif. USA

[ANSWERED] Sessions: ?PHPSESSID= appended to URL

Post by charp »

Sessions! They're driving me a bit batty as I try to learn. My question for now is what causes "?PHPSESSID=" followed by about 32 random digits and characters to be appended to the URL of a hyperlink?

I assume the long string of digits and characters is the session_id number, but I've done nothing with PHP to specifically add that information to the address of a link.

Thanks in advance.
Last edited by charp on Wed Apr 21, 2004 7:17 pm, edited 1 time in total.
lostboy
Forum Contributor
Posts: 329
Joined: Mon Dec 30, 2002 8:12 pm
Location: toronto,canada

Post by lostboy »

It is the session id. It does get appended to the URL because (from the manual)
session.use_trans_sid boolean
session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).

Note: For PHP 4.1.2 or less, it is enabled by compiling with --enable-trans-sid. From PHP 4.2.0, trans-sid feature is always compiled.

URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.
trans_sid is set to on
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

yeah, it's added automatically to each link and form (as a hidden field) in the following cases:
  • on the first page where the session_start() encountered
  • on all the subsequent pages if user has cookie disabled
This behavior is controlled by session.use_trans_sid directive in php.ini
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

and if u dont have access to php.ini, u can disable it in .htaccess

:P
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

So I've got a few questions about this. First of all, trans_sid is set to '0' on our server, which if I understand the incredibly brief documentation, should mean that I can expect session IDs to crop up every now and then in URLs, in the form of a GET variable. Well, they do. But only in Internet Explorer. In FireFox, Mozilla, presumably Safari, they do not.

The documentation indicates that turning trans_sid on is a potential security risk because it could allow open sessions to be intercepted. But isn't that completely backwards? It seems to me that they could be intercepted if they're in the URL like they are now, not if they're handled transparently (which I assume trans_ stands for).

So tell me: do I have something horribly backwards in my thinking? Or is there something bizarro with my server config?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

you should expect behavior I described when session.use_trans_sid is on
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

Hmm. Then why am I seeing it now, with it off? And why only in IE?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

maybe IE is blocking cookies?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

what is other session.* directives in your php.ini ?
Does your IE accepts cookie? (do other browsers accept?)
Are you sure you see current version of the page (eg not cached one)?
Have you restarted Apache (IIS ?) after you made changes in php.ini (if you did any) ?
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

well, it's not on any other site, including this one. logins have been maintained everywhere I've been, and I haven't noticed the session ID cropping up on many other sites. Of course, I don't use IE very often so it's hard to say.

I should admit that I'm not at all an expert on sessions/cookies.
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

Yes, IE accepts cookies.
No changes have been made to Apache, but in any case it has been restarted. Pages in the browser are current.

php.ini has these entries:
session.use_cookies = 1
; session.use_only_cookies = 1 (commented out)
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_expire = 180
session.use_trans_sid = 0


I did not originally set up this file, so I assume these are basically the defaults.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

finding out if IE 6 is blocking that site's cookies:
Tools > Internet Options > Privacy (tab) > Edit (button near bottom of dialog)

search down the list of domains..
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Is that the page we can visit?
Any chances to see the PHP code?
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

Yeah, there's nothing there. No entries one way or another.
User avatar
charp
Forum Commoner
Posts: 85
Joined: Sun Oct 26, 2003 3:00 pm
Location: Rancho Cucamonga, Calif. USA

Post by charp »

Wow! Not only did I get an answer, but it looks like my question generated a healthy discussion for those with far greater knowledge about sessions than I'll probably ever need.

Thank you to all who replied -- glad you got something out of it too.
Post Reply