Re: PHPSESSID in URL

From: Adriaan (red_at_de.solidareit)
Date: 04/26/04 

Date: Mon, 26 Apr 2004 07:25:17 +0200

"O.B." wrote
> Using PHP 4.3.4, I have a problem where some web pages appear and the
> links all have PHPSESSID=4094c333eb638b1e8c25632212079e05 attached to
> them. The HTML code itself does not have this text. Also, this
> behavior quickly disappears after the first few clicks of browsing.

When using sessions, PHP needs to figger out whether or not cookies are
enabled. If not, PHP will fall back to so-called "URL rewriting" that : it
appends the session id to any (relative) URL.

However, PHP cannot tell if the cookie was accepted until the browser
requests the 2nd page. If the cookie is accepted then PHP will be sent the
value of that cookie when the visitor clicks a link. If it does, PHP will
then stop the URL rewriting for all further pages. If PHP is not sent the
cookie value, then PHP keeps using the rewriting. So, just in case cookies
are not enabled, PHP uses both the cookie and URL rewriting for the very
first page that is shown to the visitor, for otherwise PHP would never know
if a request is the first page or not.

Just check with, for example Mozilla Firefox or strict cookie settings in
Internet Explorer.

So, as any link on the very first page will show this PHP session id, you
could try to make a page that has no links at all. Like use

    // in index.php
    header("Location: my2ndpage.php");

to have PHP figger out the cookie thing on an empty index.php page... You
could also disable URL rewriting, but then there's no fall back mechanism
for your sessions. If you're not using any session at all, then there must
be some setting that starts a session automatically.

Adriaan

Relevant Pages

  • Re: Sessions
    ... click the link and in aoltest3.php the session variable is visable. ... Registered serializer handlers php php_binary wddx ... session.name PHPSESSID PHPSESSID ... see the PHPSESSID, in a cookie, or in the URL. ...
    (comp.lang.php)
  • Strange difference when cookie disappears from $_REQUEST in HTTP vs. WAP
    ... with how PHP interacts with MySQL, ... Header has been generated to destroy your login session cookie, ... the cookie so it doesn't show up in $_REQUEST. ...
    (comp.lang.php)
  • Re: php session GC error
    ... After this number of seconds, stored data will be seen as 'garbage' ... how do I explicitly tell PHP in the ini what directory to use for session ... Lifetime in seconds of cookie or, if 0, until browser is restarted. ...
    (php.general)
  • Re: Is it safe to store user_id in Session?
    ... What I was wondering is how safe it is to store user_id or username or ... session so I do not need to search the database all the time. ... OVERRIDING BASIC SESSION COOKIE AUTHENTICATION ... So what is described in the article only works for bad php scripts. ...
    (comp.lang.php)
  • Re: Cookie not conserved across jump
    ... instruction in PHP. ... just leads to another HTTP request. ... $_SESSION is stocked up with the bits // the v2 page will need ... Why would session_startgenerate a new cookie at all? ...
    (comp.lang.php)