views:

76

answers:

3

I'm using iPage.com host. In order to use PHP sessions in their host I need to add session_save_path('/home/users/web/.../cgi-bin/tmp'); at the start of each page (in my case only index.php because everything goes trough index.php first).

Now, they automatically add the session id to the end of every URL requested like this: website.com/movies/details/?PHPSESSID=4s54kjhdl...

I think this is causing problems and can affect google indexing and SEO..

How to prevent this?

A: 

Either configure it to use cookie-based sessions or turn of sessions entirely.

Kalium
Not helping me at all.. turn off session entirely???
Jonathan
+4  A: 

Your "host" isn't causing the issue, PHP is appending this data. Specifically, PHP is configured to append the PHPSESSID variable to the URL to allow PHP to track the session. It's possible to change the relevant setting using ini_set prior to calling session_start, or more permanently by updating the php.ini file (though since you're hosted this last option is probably out). This is a list of the available runtime settings for sessions in PHP.

While you can control whether or not the value is appended to the end of your URLs, it's required to track the sessions. Alternatively you can configure PHP to use cookies to track sessions, but requiring cookies to track sessions may break your application for users who reject cookies.

In short, you can control the session ID to make it a little prettier (by renaming PHPSESSID to something more amenable or making the value less cryptic) but unless you want to use cookies to maintain the session, you're stuck with this "garbage" on your URL. If you only use cookies some users may not be able to maintain the session.

To enable cookie based session handling you can execute either:

// stop PHP from automatically embedding PHPSESSID on local URLs
ini_set('session.use_trans_sid', false);

or

// only use cookies (no url based sessions)
ini_set('session.use_only_cookies', true);
Mark E
Allowing anything other than cookies will expose the users to session fixation.
Artefacto
@Artefacto, [Wikipedia suggests a number of ways beyond simply not accepting GET/POST SIDs](http://en.wikipedia.org/wiki/Session_fixation)
Mark E
@Mark: In 'Mike Sherov' answer he puts false instead of true, which is correct?@Artefacto: can you explain a little more about the session fixation problem? So only use cookies and not sessions??
Jonathan
@Jonathan, it appears I misread the manual, a quick search seems to indicate that that option is what's automatically embedding the PHPSESSID stuff in your URL, and it should be false (editing now).
Mark E
@Jon You can use the URL to convey session information, but if you allow so, you have to be extra careful with session handling. See the Wikipedia article Mark has linked to. But beware several items there listed as "countermeasures" are only mitigating measures.
Artefacto
+1  A: 

If you can't modify php.ini yourself, you can do the following:

ini_set('session.use_trans_sid',false);

This will cause PHP to use cookie based session handling, and not append the session id to the URL (which could be a security risk anyway).

Mike Sherov