Page 1 of 1
Session query
Posted: Tue May 24, 2005 11:01 am
by someberry
Is there any way to get rid of the ?PHPSESID=... that comes up when you first access a page that uses sessions?
Thanks.
Posted: Tue May 24, 2005 11:31 am
by infolock
the only way i know how to do what you are wanting is to turn sessions off completely and then just turn on cookies.
here is a good google search for the problem you are having :
http://www.google.com/search?hl=en&rls= ... 22&spell=1
Re: Session query
Posted: Tue May 24, 2005 11:53 am
by Roja
someberry wrote:Is there any way to get rid of the ?PHPSESID=... that comes up when you first access a page that uses sessions?
Thanks.
Place before calling any session functions:
Code: Select all
ini_set(’session.use_trans_sid’, false);
Posted: Tue May 24, 2005 1:20 pm
by Skara
This bugs me too. Will setting the above value screw with anything?
Posted: Tue May 24, 2005 1:28 pm
by shiznatix
and if so, whats the diffrence? the only security issue i could think of is someone trying to randomly generate a session id that isnt there but then the odds of it working is like a billion to none so i dont think i see the problem
Posted: Tue May 24, 2005 2:20 pm
by Roja
Skara wrote:This bugs me too. Will setting the above value screw with anything?
Absolutely.
The purpose of trans_sid is for situations where the user *does not* accept cookies. Unfortunately, PHP defaults to doing it for all users/all pages.
In other words:
If a user accepts cookies, he will see those links. (yuck)
If a user DOES NOT accept cookies, he will see those links, and still be able to get sessions (yay).
By setting trans_sid off, you remove sessions for users that don't accept cookies, to get your clean urls back.
So yes, it does break something: Users that don't accept cookies won't be able to keep a session across pages.
Shiznatix wrote:and if so, whats the diffrence? the only security issue i could think of is someone trying to randomly generate a session id that isnt there but then the odds of it working is like a billion to none so i dont think i see the problem
No, the odds aren't nearly that remote, and session guessing is actually becoming somewhat common. Thats why a recommended best practice is to use session_regen_id whenever there is a "state" change in the session. (ie, after login, changed password, changed priveldge level, etc).
That way, even if you guess my initial session (boo!), once I login, I have another session ID. It deeply reduces the likelihood of session replay attacks, substantially improving the security for really very little cost.
Posted: Tue May 24, 2005 2:27 pm
by shiznatix
supra but wouldnt me signing in again after my initial session being destroyed do just that, create a new session id?
Posted: Thu May 26, 2005 2:12 pm
by someberry
Well, if a user wants to use the site, then (s)he will be required to have cookies enabled. However, the code doesn't seem to be working, at the moment, I am calling it like this:
Code: Select all
<?PHP
ini_set('session.use_trans_sid', false);
session_start();
Is that correct?
Thanks.
Posted: Thu May 26, 2005 2:53 pm
by Roja
At the time I posted, I couldn't check my code. In fact, I do it like this:
Code: Select all
ini_set('url_rewriter.tags', ''); // Ensure that the session id is *not* passed on the url.