Session query

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
someberry
Forum Contributor
Posts: 172
Joined: Mon Apr 11, 2005 5:16 am

Session query

Post by someberry »

Is there any way to get rid of the ?PHPSESID=... that comes up when you first access a page that uses sessions?

Thanks.
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

the only way i know how to do what you are wanting is to turn sessions off completely and then just turn on cookies.

here is a good google search for the problem you are having :
http://www.google.com/search?hl=en&rls= ... 22&spell=1
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Session query

Post by Roja »

someberry wrote:Is there any way to get rid of the ?PHPSESID=... that comes up when you first access a page that uses sessions?

Thanks.
Place before calling any session functions:

Code: Select all

ini_set(’session.use_trans_sid’, false);
User avatar
Skara
Forum Regular
Posts: 703
Joined: Sat Mar 12, 2005 7:13 pm
Location: US

Post by Skara »

This bugs me too. Will setting the above value screw with anything?
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

and if so, whats the diffrence? the only security issue i could think of is someone trying to randomly generate a session id that isnt there but then the odds of it working is like a billion to none so i dont think i see the problem
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Skara wrote:This bugs me too. Will setting the above value screw with anything?
Absolutely.

The purpose of trans_sid is for situations where the user *does not* accept cookies. Unfortunately, PHP defaults to doing it for all users/all pages.

In other words:

If a user accepts cookies, he will see those links. (yuck)
If a user DOES NOT accept cookies, he will see those links, and still be able to get sessions (yay).

By setting trans_sid off, you remove sessions for users that don't accept cookies, to get your clean urls back.

So yes, it does break something: Users that don't accept cookies won't be able to keep a session across pages.
Shiznatix wrote:and if so, whats the diffrence? the only security issue i could think of is someone trying to randomly generate a session id that isnt there but then the odds of it working is like a billion to none so i dont think i see the problem
No, the odds aren't nearly that remote, and session guessing is actually becoming somewhat common. Thats why a recommended best practice is to use session_regen_id whenever there is a "state" change in the session. (ie, after login, changed password, changed priveldge level, etc).

That way, even if you guess my initial session (boo!), once I login, I have another session ID. It deeply reduces the likelihood of session replay attacks, substantially improving the security for really very little cost.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

supra but wouldnt me signing in again after my initial session being destroyed do just that, create a new session id?
someberry
Forum Contributor
Posts: 172
Joined: Mon Apr 11, 2005 5:16 am

Post by someberry »

Well, if a user wants to use the site, then (s)he will be required to have cookies enabled. However, the code doesn't seem to be working, at the moment, I am calling it like this:

Code: Select all

<?PHP
ini_set('session.use_trans_sid', false);
session_start();
Is that correct?

Thanks.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

At the time I posted, I couldn't check my code. In fact, I do it like this:

Code: Select all

ini_set('url_rewriter.tags', ''); // Ensure that the session id is *not* passed on the url.
Post Reply