Session query
Moderator: General Moderators
Session query
Is there any way to get rid of the ?PHPSESID=... that comes up when you first access a page that uses sessions?
Thanks.
Thanks.
the only way i know how to do what you are wanting is to turn sessions off completely and then just turn on cookies.
here is a good google search for the problem you are having :
http://www.google.com/search?hl=en&rls= ... 22&spell=1
here is a good google search for the problem you are having :
http://www.google.com/search?hl=en&rls= ... 22&spell=1
Re: Session query
Place before calling any session functions:someberry wrote:Is there any way to get rid of the ?PHPSESID=... that comes up when you first access a page that uses sessions?
Thanks.
Code: Select all
ini_set(’session.use_trans_sid’, false);Absolutely.Skara wrote:This bugs me too. Will setting the above value screw with anything?
The purpose of trans_sid is for situations where the user *does not* accept cookies. Unfortunately, PHP defaults to doing it for all users/all pages.
In other words:
If a user accepts cookies, he will see those links. (yuck)
If a user DOES NOT accept cookies, he will see those links, and still be able to get sessions (yay).
By setting trans_sid off, you remove sessions for users that don't accept cookies, to get your clean urls back.
So yes, it does break something: Users that don't accept cookies won't be able to keep a session across pages.
No, the odds aren't nearly that remote, and session guessing is actually becoming somewhat common. Thats why a recommended best practice is to use session_regen_id whenever there is a "state" change in the session. (ie, after login, changed password, changed priveldge level, etc).Shiznatix wrote:and if so, whats the diffrence? the only security issue i could think of is someone trying to randomly generate a session id that isnt there but then the odds of it working is like a billion to none so i dont think i see the problem
That way, even if you guess my initial session (boo!), once I login, I have another session ID. It deeply reduces the likelihood of session replay attacks, substantially improving the security for really very little cost.
Well, if a user wants to use the site, then (s)he will be required to have cookies enabled. However, the code doesn't seem to be working, at the moment, I am calling it like this:
Is that correct?
Thanks.
Code: Select all
<?PHP
ini_set('session.use_trans_sid', false);
session_start();Thanks.
At the time I posted, I couldn't check my code. In fact, I do it like this:
Code: Select all
ini_set('url_rewriter.tags', ''); // Ensure that the session id is *not* passed on the url.