PHPSESSID appearing in address

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

PHPSESSID appearing in address

Post by Unipus »

It appears to be sent as a query string in the address bar. I want it gone, obviously. I've taken a short stab as this problem before but never made too much progress. It's been awhile (wearing too many hats as usual), so I'd appreciate some basic pointers on this one.
Steveo31
Forum Contributor
Posts: 416
Joined: Sun Nov 23, 2003 9:05 pm
Location: San Jose CA

Post by Steveo31 »

session.use_cookies in the .ini file. Sometimes it appears on the first page, and after that it doesn't show up.
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

you can use full path links as well

<a href=index.php>click</a>

to:

<a href=http://www.domain.com/index.php>click</a>

if you dont have access to php.ini, its possible to disable with .htaccess, if you need the code for that, let me know as I would have to dig for it
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

well let's discuss this for a second!

both my servers are identical in terms of configuration. the local and the live server both have session.use_cookies set to 1. however, I have NEVER noticed this problem on the local server, only on the live one. So it seems like that's not really the cause? I'm hesitant to go flipping it around on the live server without something to test against.
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

Also, looking at the docs of session.use_cookies, it looks like I would *want* it set to 1 anyway.
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

edit: discovered the cause of THAT problem... our sysadmin has in fact set use_trans_sid enabled on the live server. So now I know what to do to get rid of that... but he says he did it intentionally to cater to users with cookies disabled. My initial response to this is: who on earth doing e-commerce has cookies disabled? But I don't have any facts or figures to back that up, really. So if anyone can help me in that regard, I'd appreciate it.

Secondly, he says (and I believe) it should be transparent unless needed. But clearly that's not the case, because I browse with cookies enabled and regularly end up seeing PHPSESSID sent in the URL anyway. So either this doesn't work properly or it's been misconfigured somewhere.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'd have to agree to your second part there Unipus.. I routinely get session id's set in the url...

as for the first part, although I have no data to back this up, most sites I visit require cookies, especially commerce sites. True it'd be nicer to allow people to not have cookies enabled.. that same mentality would have me making games on EGA colors still, using direct interupts..
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

Sorry, I forgot to phrase my actual question: is there a way (server-side or client-side) that I can detect if a user has cookies disabled? I'd be much less hesitant to enforce cookie support if I knew I could throw up a warning for them beforehand.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

attempting to set a cookie, and then checking for it is the only way I know of finding out if they either have cookies enabled, or denied the cookie to set.
User avatar
launchcode
Forum Contributor
Posts: 401
Joined: Tue May 11, 2004 7:32 pm
Location: UK
Contact:

Post by launchcode »

It is transparent until needed - but the use trans id flag over-rides the cookie setting, so if a site has the trans ID enabled then it'll stick the session in the URL regardless if the user has cookies or not.
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

Well they should really think about fixing that! 8)
User avatar
launchcode
Forum Contributor
Posts: 401
Joined: Tue May 11, 2004 7:32 pm
Location: UK
Contact:

Post by launchcode »

What is there to fix? It works just fine.
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

I'd disagree. Seems to me it needs to operate much more like a failsafe than it does currently, and that would include checking for cookie support FIRST and then falling back to URL-based transaction if necessary, not doing it regardless.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I have to agree with ya there Unipus.
User avatar
launchcode
Forum Contributor
Posts: 401
Joined: Tue May 11, 2004 7:32 pm
Location: UK
Contact:

Post by launchcode »

It does it because that is what you have set in the php.ini.

What you want is perfectly possible - just enable the trans_id in your php.ini and then in your script check to see if the user supports cookies or not. If they do, use this before any session commands:

ini_set('session.use_only_cookies', '1');

Then the trans ID is hidden for all cookie users and available for all cookie-blocking weirdos.

This is not a bug, PHP should never assume to do something like this for you.
Post Reply