Page 1 of 1
[ANSWERED] Sessions: ?PHPSESSID= appended to URL
Posted: Wed Apr 21, 2004 2:41 pm
by charp
Sessions! They're driving me a bit batty as I try to learn. My question for now is what causes "?PHPSESSID=" followed by about 32 random digits and characters to be appended to the URL of a hyperlink?
I assume the long string of digits and characters is the session_id number, but I've done nothing with PHP to specifically add that information to the address of a link.
Thanks in advance.
Posted: Wed Apr 21, 2004 2:48 pm
by lostboy
It is the session id. It does get appended to the URL because (from the
manual)
session.use_trans_sid boolean
session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).
Note: For PHP 4.1.2 or less, it is enabled by compiling with --enable-trans-sid. From PHP 4.2.0, trans-sid feature is always compiled.
URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.
trans_sid is set to on
Posted: Wed Apr 21, 2004 2:52 pm
by Weirdan
yeah, it's added automatically to each link and form (as a hidden field) in the following cases:
- on the first page where the session_start() encountered
- on all the subsequent pages if user has cookie disabled
This behavior is controlled by session.use_trans_sid directive in php.ini
Posted: Wed Apr 21, 2004 4:48 pm
by tim
and if u dont have access to php.ini, u can disable it in .htaccess

Posted: Wed Apr 21, 2004 5:52 pm
by Unipus
So I've got a few questions about this. First of all, trans_sid is set to '0' on our server, which if I understand the incredibly brief documentation, should mean that I can expect session IDs to crop up every now and then in URLs, in the form of a GET variable. Well, they do. But only in Internet Explorer. In FireFox, Mozilla, presumably Safari, they do not.
The documentation indicates that turning trans_sid on is a potential security risk because it could allow open sessions to be intercepted. But isn't that completely backwards? It seems to me that they could be intercepted if they're in the URL like they are now, not if they're handled transparently (which I assume trans_ stands for).
So tell me: do I have something horribly backwards in my thinking? Or is there something bizarro with my server config?
Posted: Wed Apr 21, 2004 6:01 pm
by Weirdan
you should expect behavior I described when session.use_trans_sid is on
Posted: Wed Apr 21, 2004 6:06 pm
by Unipus
Hmm. Then why am I seeing it now, with it off? And why only in IE?
Posted: Wed Apr 21, 2004 6:09 pm
by feyd
maybe IE is blocking cookies?
Posted: Wed Apr 21, 2004 6:15 pm
by Weirdan
what is other session.* directives in your php.ini ?
Does your IE accepts cookie? (do other browsers accept?)
Are you sure you see current version of the page (eg not cached one)?
Have you restarted Apache (IIS ?) after you made changes in php.ini (if you did any) ?
Posted: Wed Apr 21, 2004 6:15 pm
by Unipus
well, it's not on any other site, including this one. logins have been maintained everywhere I've been, and I haven't noticed the session ID cropping up on many other sites. Of course, I don't use IE very often so it's hard to say.
I should admit that I'm not at all an expert on sessions/cookies.
Posted: Wed Apr 21, 2004 6:20 pm
by Unipus
Yes, IE accepts cookies.
No changes have been made to Apache, but in any case it has been restarted. Pages in the browser are current.
php.ini has these entries:
session.use_cookies = 1
; session.use_only_cookies = 1 (commented out)
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_expire = 180
session.use_trans_sid = 0
I did not originally set up this file, so I assume these are basically the defaults.
Posted: Wed Apr 21, 2004 6:22 pm
by feyd
finding out if IE 6 is blocking that site's cookies:
Tools > Internet Options > Privacy (tab) > Edit (button near bottom of dialog)
search down the list of domains..
Posted: Wed Apr 21, 2004 6:23 pm
by Weirdan
Is that the page we can visit?
Any chances to see the PHP code?
Posted: Wed Apr 21, 2004 6:25 pm
by Unipus
Yeah, there's nothing there. No entries one way or another.
Posted: Wed Apr 21, 2004 7:15 pm
by charp
Wow! Not only did I get an answer, but it looks like my question generated a healthy discussion for those with far greater knowledge about sessions than I'll probably ever need.
Thank you to all who replied -- glad you got something out of it too.