ifacethoughts

PHPSESSID In URLs

A while back Binny VA and recently Rishi alerted me to PHPSESSIDs in some of the URLs. PHPSESSID is used to indicate who owns the PHP session, something useful in case you are tracking sessions, like in case of shopping carts. However, PHPSESSIDs in the URL can make search engines to think it is duplicate content since technically there are two different URLs. It can also lead to security breach if a URL with a PHPSESSID is inadvertently shared.

Disabling PHPSESSID depends on how PHP is being run in your web server. For PHP as a module, you can enter the following in your .htaccess file.

# To avoid PHPSESSID in URLs
<IfModule mod_php4.c>
php_flag session.use_trans_sid off
</IfModule>
# END PHPSESSID

PHPSESSIDs can still be tracked in cookies, or I believe by using session_id().

However, this works only if PHP is compiled as an Apache module. For PHP as CGI, the modifications will have to be done in the local php.ini file, the runtime configuration file.

session.use_trans_sid = 0

Details about access to your .htaccess and php.ini files can be provided by your host. Bluehost, where this blog is hosted, allowed me to access my .htaccess file. This seems to be working right now, however if you still see the problem persist, kindly ping me about it. Also, I am not an expert on Apache configuration, so feel free to correct or add to this.

Discussion [Participate or Link]

  1. Binny V A said:
    March 28th, 2007 at 4:35 pm

    Thanks for the credit! You don’t need .htaccess to do this. The way I do it is to include this bit of PHP code in my common file(the file that is called in all PHP files)

    ini_set(’url_rewriter.tags’,”");
    ini_set(’session.use_trans_sid’,false);
    session_start();

    Please not that the ’session_start()’ must be called after the other two lines and not before.

  2. Alexander Vassbotn Røyne said:
    March 28th, 2007 at 5:11 pm

    This setting is particularly handy for XHTML validation in coherence with search engines as well.

    As a side note, form elements are given extra variables (if in a session_start() ) if the
    php_flag session.use_trans_sid option isn’t set to “off”. This may fubar your attempt to get your XHTML document to validate.

    As a supplement to Binny’s comment, you have three places to set this option on/off: the .htaccess, the php script itself and the apache config file itself (you will need privileges to edit the config file).

  3. Rishi said:
    March 28th, 2007 at 5:33 pm

    Thanks for the link. Good that its set now!

  4. Abhijit Nadgouda said:
    March 28th, 2007 at 5:34 pm

    Binny, Alexander thanks for your inputs. I wonder which is the recommended way or pros/cons of each way. In case of Wordpress, the common file for calling session_start() would be the header.php I assume.

  5. Alexander Vassbotn Røyne said:
    March 28th, 2007 at 5:52 pm

    Typically, fourth time I try to write a comment, you have to remove the “insert name in the OpenID field automatically” function, drives me mad! :P

    I was going to comment that you can choose between three ways: init_set(), .htaccess files or apache config file (httpd.conf). If you have full server rights on your apache, and want to learn more, play around with these condition rules in the apache config file, but remember to take backups!

    With Wordpress, I am not familiar with it, nor will I ever be, but if you can edit the header file, you can use the init_set();
    before
    session_start();

    But, I recommend to use the .htaccess file to it’s full potential; you store all conditions to the directory where the .htaccess file resides (mainly the web root) in the .htaccess file so you don’t have to insert different ini_set()’s on every page.

    You can also add several more rules , to make “pretty links” and custom link handling with the usage of mod_rewrite, wrote a quick post on it: mod_rewrite made easy a while ago.

  6. Abhijit Nadgouda said:
    March 28th, 2007 at 6:15 pm

    Alexander, I am sorry if you are having trouble with the OpenID plugin. I will try to look into it, meanwhile please bear with me. I am trying to experiment with it, I very sincerely support the idea of OpenID.

    I tend to agree with you to use the order of preference. I love the .htaccess rules, though not an expert I am beginning to realize its power. I would go to the code only if there is no access to the configuration or .htaccess files.

  7. Alexander Vassbotn Røyne said:
    March 28th, 2007 at 9:36 pm

    I have no grudge against OpenID, as I wish to implement it further down the line on my site, but it was pretty frustrating that it was put there automatically and that resultet in a comment that I had to right over and over again.

    Keep up the good work!

Say your thought!

Who are you?

If you want to use HTML you can use these tags: <a>, <em>, <strong>, <abbr>, <code>, <blockquote>. Closing the tags will be appreciated as this site uses valid XHTML.

freshthoughts

contactme

Abhijit Nadgouda
iface Consulting
India
+91 9819820312
Y!: anadgouda
GTalk: anadgouda@gmail.com
MSN: anadgouda@hotmail.com
Skype: anadgouda
My bookmarks

currentproject

Complete Wellbeing

badgesand...

This is the weblog of Abhijit Nadgouda where he writes down his thoughts on software development and related topics. You are invited to subscribe to the feed to stay updated or check out more subscription options. Or you can choose to browse by one of the topics.

Twitter - #mumbai - The city has started working today. The fears are still there, but the spirit will help in fighting it.