Page 1 of 2
PHPSESSID appearing in address
Posted: Thu May 20, 2004 2:11 pm
by Unipus
It appears to be sent as a query string in the address bar. I want it gone, obviously. I've taken a short stab as this problem before but never made too much progress. It's been awhile (wearing too many hats as usual), so I'd appreciate some basic pointers on this one.
Posted: Thu May 20, 2004 2:23 pm
by Steveo31
session.use_cookies in the .ini file. Sometimes it appears on the first page, and after that it doesn't show up.
Posted: Thu May 20, 2004 4:39 pm
by tim
you can use full path links as well
<a href=index.php>click</a>
to:
<a href=
http://www.domain.com/index.php>click</a>
if you dont have access to php.ini, its possible to disable with .htaccess, if you need the code for that, let me know as I would have to dig for it
Posted: Thu May 20, 2004 5:44 pm
by Unipus
well let's discuss this for a second!
both my servers are identical in terms of configuration. the local and the live server both have session.use_cookies set to 1. however, I have NEVER noticed this problem on the local server, only on the live one. So it seems like that's not really the cause? I'm hesitant to go flipping it around on the live server without something to test against.
Posted: Thu May 20, 2004 5:48 pm
by Unipus
Also, looking at the docs of session.use_cookies, it looks like I would *want* it set to 1 anyway.
Posted: Thu May 20, 2004 5:51 pm
by Unipus
edit: discovered the cause of THAT problem... our sysadmin has in fact set use_trans_sid enabled on the live server. So now I know what to do to get rid of that... but he says he did it intentionally to cater to users with cookies disabled. My initial response to this is: who on earth doing e-commerce has cookies disabled? But I don't have any facts or figures to back that up, really. So if anyone can help me in that regard, I'd appreciate it.
Secondly, he says (and I believe) it should be transparent unless needed. But clearly that's not the case, because I browse with cookies enabled and regularly end up seeing PHPSESSID sent in the URL anyway. So either this doesn't work properly or it's been misconfigured somewhere.
Posted: Thu May 20, 2004 6:20 pm
by feyd
I'd have to agree to your second part there Unipus.. I routinely get session id's set in the url...
as for the first part, although I have no data to back this up, most sites I visit require cookies, especially commerce sites. True it'd be nicer to allow people to not have cookies enabled.. that same mentality would have me making games on EGA colors still, using direct interupts..
Posted: Thu May 20, 2004 6:25 pm
by Unipus
Sorry, I forgot to phrase my actual question: is there a way (server-side or client-side) that I can detect if a user has cookies disabled? I'd be much less hesitant to enforce cookie support if I knew I could throw up a warning for them beforehand.
Posted: Thu May 20, 2004 6:30 pm
by feyd
attempting to set a cookie, and then checking for it is the only way I know of finding out if they either have cookies enabled, or denied the cookie to set.
Posted: Thu May 20, 2004 7:13 pm
by launchcode
It is transparent until needed - but the use trans id flag over-rides the cookie setting, so if a site has the trans ID enabled then it'll stick the session in the URL regardless if the user has cookies or not.
Posted: Thu May 20, 2004 7:59 pm
by Unipus
Well they should really think about fixing that!

Posted: Thu May 20, 2004 8:04 pm
by launchcode
What is there to fix? It works just fine.
Posted: Thu May 20, 2004 8:12 pm
by Unipus
I'd disagree. Seems to me it needs to operate much more like a failsafe than it does currently, and that would include checking for cookie support FIRST and then falling back to URL-based transaction if necessary, not doing it regardless.
Posted: Thu May 20, 2004 8:23 pm
by feyd
I have to agree with ya there Unipus.
Posted: Thu May 20, 2004 9:11 pm
by launchcode
It does it because that is what you have set in the php.ini.
What you want is perfectly possible - just enable the trans_id in your php.ini and then in your script check to see if the user supports cookies or not. If they do, use this before any session commands:
ini_set('session.use_only_cookies', '1');
Then the trans ID is hidden for all cookie users and available for all cookie-blocking weirdos.
This is not a bug, PHP should never assume to do something like this for you.