ansaurus

Question

My web host is adding ?PHPSESSID=fgh2h45... to the end of the URL...

Answer 1

A:

Either configure it to use cookie-based sessions or turn of sessions entirely.

Kalium 2010-07-07 01:03:37

Not helping me at all.. turn off session entirely???

Jonathan 2010-07-07 01:07:24

Answer 2

+4 A:

Your "host" isn't causing the issue, PHP is appending this data. Specifically, PHP is configured to append the PHPSESSID variable to the URL to allow PHP to track the session. It's possible to change the relevant setting using ini_set prior to calling session_start, or more permanently by updating the php.ini file (though since you're hosted this last option is probably out). This is a list of the available runtime settings for sessions in PHP.

While you can control whether or not the value is appended to the end of your URLs, it's required to track the sessions. Alternatively you can configure PHP to use cookies to track sessions, but requiring cookies to track sessions may break your application for users who reject cookies.

In short, you can control the session ID to make it a little prettier (by renaming PHPSESSID to something more amenable or making the value less cryptic) but unless you want to use cookies to maintain the session, you're stuck with this "garbage" on your URL. If you only use cookies some users may not be able to maintain the session.

To enable cookie based session handling you can execute either:

// stop PHP from automatically embedding PHPSESSID on local URLs
ini_set('session.use_trans_sid', false);

or

// only use cookies (no url based sessions)
ini_set('session.use_only_cookies', true);

Mark E 2010-07-07 01:06:40

Allowing anything other than cookies will expose the users to session fixation.

Artefacto 2010-07-07 01:21:51

@Artefacto, [Wikipedia suggests a number of ways beyond simply not accepting GET/POST SIDs](http://en.wikipedia.org/wiki/Session_fixation)

Mark E 2010-07-07 01:27:49

@Mark: In 'Mike Sherov' answer he puts false instead of true, which is correct?@Artefacto: can you explain a little more about the session fixation problem? So only use cookies and not sessions??

Jonathan 2010-07-07 01:32:08

@Jonathan, it appears I misread the manual, a quick search seems to indicate that that option is what's automatically embedding the PHPSESSID stuff in your URL, and it should be false (editing now).

Mark E 2010-07-07 01:46:00

@Jon You can use the URL to convey session information, but if you allow so, you have to be extra careful with session handling. See the Wikipedia article Mark has linked to. But beware several items there listed as "countermeasures" are only mitigating measures.

Artefacto 2010-07-07 01:59:40

Answer 3

+1 A:

If you can't modify php.ini yourself, you can do the following:

ini_set('session.use_trans_sid',false);

This will cause PHP to use cookie based session handling, and not append the session id to the URL (which could be a security risk anyway).

Mike Sherov 2010-07-07 01:11:50

ansaurus

tags:

views:

answers:

My web host is adding ?PHPSESSID=fgh2h45... to the end of the URL...

related questions