Why You Should Disable PHP's session use_trans_sid

hi

when i enter to the site

dietnow.run.to

that is configured to target

www.top-diet.com?index.php?sid=2000

with mask cloaking on the url

it go into the targrt url ok but

adds index.php?PHPSESSID=67723jkdfjkasjr8f98j

and distroy my session!!!

how do i fix it

when i still want to use the mask cloaking?

10x

remeber to call

ini_set('session.use_trans_sid', false);

before

session_start();

www.isomorphicnet.com

I've done the ini_set on my site, but it still seems to place the sessionid in the url for relative links -- say [a href="/page.php"], it will still change it even when I reset the trans_sid to false (before the session_start()).. So, I've made them absolute links and this seemed to resolve the issue..

ini_set('session.use_trans_sid', false); won't help,

but

ini_set("url_rewriter.tags","");

does

<IfModule mod_php4.c>

php_flag session.use_trans_sid off

</IfModule>

This page (and Martin Tsachev) saved my day, or rather my week.

I've been working pretty hard to get those damned sessionids out of the url.

The versions of PHP-environments I currently work in are 4.3.2 and 4.3.3. No matter what the manuals say, the ini_sets session.use_only_cookies and session.use_trans_sid have failed. And url_rewriter.tags simply disables session-starting at all.

Before these endeavours I spend some time contructing complicated sequences of header- and refresh-redirects, until I picked up that the session simply dies during a redirect (unless you write ?PHPSESSID=$PHPSESSID into the executing urls, obviously getting nowhere in the attempts to get rid of the sh..).

But the .htaccess-expression does the trick.

Hooray!

That was exactly what i needed to see.

I wasn't sure how to write it in the .htaccess file.

You couldn't have made it clearer.

Hooray Indeed :)

I finished developing my site before fully understanding the google-monster.

I was really worried about turning my SESSION IDs off in case my real customers had dropped sessions, or didn't have cookies enabled. So.... I am trying the following in an attempt to get google and the only other webcrawler on my site to have a good root round by turning the URL rewriter tags only for these user agents.

I've done this by checking the HTTP_USER_AGENT as follows BEFORE any session_start() command:

if(strpos($_SERVER['HTTP_USER_AGENT'],"google")!==false or strpos($_SERVER['HTTP_USER_AGENT'],"MSIECrawler")!==false)

{

ini_set("url_rewriter.tags","");

}

Hope this is of use to those folks stuck up the same tree I was,

Astronaut Pete

PS how about making the add comments box a bit bigger???!!

IIS does not use a .htaccess file. What do we do for this?

Find 'session.use_trans_sid' in your php.ini file and make sure it's set to 0, i.e. 'session.use_trans_sid = 0'. This is off by default in PHP Version 4.3.4, I don't know about other versions, sorry.

or you could just use the user agent string with get_browser(); to exclude search engines from being assigned any of the session features. this could be a better approach as then anyone using non-cookie enabled browsers will still be able to enjoy your site and buy your products

Using

ini_set('session.use_trans_sid', false);

will NOT work if you are using PHP as a compiled-in module to Apache (and possibly other servers). BUT(!) Martin and Astronaut Pete are correct in suggesting

ini_set("url_rewriter.tags","");

because that is a RUNTIME modifiable string. This allows trans_sid to do its thing, but it doesn't have any "thing" to do.

Result: runtime control of trans_sid for people using complied in PHP modules.

Hi,

i am developing a shoping site for imode enabled mobile phones using php. as for as i know not all imode browsers support cookies. what should i do in order to use session and is there any suggestions for making this website more secure?

thank you in advance

We recently upgraded to PHP V.4.3.3R1 and now, I have an intermittent problem of sessions not being carried between pages. I checked info.php and session.use_trans_sid is set to off. I have been told that if it is set to on, my sessions session problem will go away. I do have session_start(); at the top of each page. If anyone could tell me if this is true or not, please email me at casa3311@hotmail.com

When I turn off session.use_trans_sid PHPSESSIONID is gone but I am left without sessions too. What else should be done in order to have session control back? (PHP4.3+, Apache)

TIA,

dalibor42@dalibor42.f2o.org

i am developing a shopping site for mega enterprise using php. I try to use session to secure the site through login to order products. The php code is

<?php

'session.use_trans_sid = 0'.

session_start();

include 'connect.php';

$username = $_POST['username'];

$password = $_POST['password'];

if((!$username) || (!$password)){

echo "Please enter ALL of the information! <br />";

include 'logina.html';

exit();}

$password = md5($password);

$sql = mysql_query("SELECT * FROM account WHERE username='$username' AND password='$password' AND activated='1'");

$login_check = mysql_num_rows($sql);

if($login_check > 0){

while($row = mysql_fetch_array($sql))

{

foreach( $row AS $key => $val )

{

$$key = stripslashes( $val );

}

session_register('username');

$_SESSION['username'] = $username;

include 'admina.html';

}

}else {

echo "You could not be logged in! Either the username or password do not match!<br />

Please try again!<br />";

include 'logina.html';}

?>

But when I try to login it retrieve the following warnings.

Warning: open(/tmp\sess_2adc3442630a9af3dfcd2293676d623a, O_RDWR) failed: No such file or directory (2) in c:\program files\apache group\apache\htdocs\mega\lo.php on line 3

Warning: open(/tmp\sess_2adc3442630a9af3dfcd2293676d623a, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

Please help me to correct the above warning.thank you.

create directory [drive]:\tmp first

[drive] should be the drive you've got your files on

............BEAUTY!!!!!!!!

I will recommend this page to everyone I know (who also has PHP session problems).

php_flag session.use_trans_sid false

php_flag session.use_trans_sid off

php_flag session.use_trans_sid "0"

Hi All,

I'm currently running my php script on linux server. I have the similar problem as "dejen" mentioned above.

It there any posibilty to change "session_save_path=/tmp" to window environment (client) "session_save_path="c:\tmp"

Please advisse me if any mistake that I mentioned above.

Thanks!

Can i disable use_trans_sid, and work with cookies disabled at the same time?

How can I pass a session ID to a page without using cookies?

I know that I can pass it through the URL, but how can I prevent other to see it in the URL?.

As far as XHTML validation is concerned, another nice solution with the added advantage that it doesn't disable the trans_sid functionality itself is:

ini_set('arg_separator.input','&amp;');

ini_set('arg_separator.output','&amp;');

It simply changes the invalidating ampersant from & to &amp;, solving the problem! This is also a good solution if ini_set('session.use_trans_sid','0') doesn't work but you don't want to/can't temper with .htaccess files.

~Grauw

I do want session ID to work in the members only section of my site, and want to pass the ID through an html form. I use ?session_name=session_ID. at the end of URLs, but what should I put in the Form?

Thanks

put <input type="hidden" and name = "session_name" and value = "<? echo $session_Id; ?>">

something like that

I have this in the first lines of my php code:

//Session ID should not be added to URL's

ini_set('session.use_trans_sid', false);

ini_set("url_rewriter.tags","");

My .htaccess file is:

php_flag session.use_trans_sid off

IndexIgnore *

And it just doesn't work... At my home test server it does, but in the production server it doesn't...

Production server phpinfo: http://www.websitefacil.com/info.php

Hi,

I'm trying to use php session in my site. It works fine when I re-direct pages from server side (require). But if if re-redirect to a page from clint side (using javascript) next page cannont access my session variables!! can any one help me pls..

chami

The guy with the shop system needs to do something for security on that login...

I don't think this is a problem any more with Google. Google doesn't show the sessid in their serps although the actual link still contains it. I came across many pages with decent PageRank which had a sessid. ref.: http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=deskbar&q=inurl%3Aphpsessid

The one think i'm unsure of is maybe the pages i looked at are doing something special that i don't know about..testing to see if the user is a googlebot, for example, AND another thing actually is i am not sure if it affects how deep google crawls their site. Someone could test that by running site: on a particular site and their running a link tester (w/ their permission) and comparing the total links from the link tester with google's site: value.

Hi, I am relative new to php. I was learning php about a month. I have a problem with the sessions that I guess is something in my php.ini, but I am not sure. I have APACHE-PHP-MYSQL server, and I upgrade to PHP 5.02 trying to get the sessions work, but was futile.

I try this code:

<?php

session_start();

//session_register('contador');

session_name('misesion');

printf ("Actual Session is: ".session_id()."<br>");

echo '<a href="'.$PHP_SELF.'?'.SID.'">Counter SID is: '.++$_SESSION['contador'].'</a><br>';

echo '<a href="'.$PHP_SELF.'?'.$PHPSESSID.'">Counter PHPSESSID is: '.++$_SESSION['contador']. '</a><br>';

echo 'Session name is '.session_name().' and the session '.$_REQUEST[misesion].'<br>';

echo '<a href="sesion2.php?SID">With SID</a><br>';

echo '<a href="sesion2.php?$PHPSESSID">With PHPSESSID</a><br>';

?>

With the Counter SID the session goes normally, with the Counter PHPSESSID, the session resets each time. Dont get it.

Then, never gives me $_REQUEST[misesion] (I change to $misesion and $_SESSION[misesion]) and nothing.

But the real problem is that when I send to sesion2.php the session_id() shows me that a new session open, with SID or PHPSESSID. In that way I cant maintain the sesion through pages, what can I do or what I am doing wrong?

Other thing, is that when I hit the Counter SID, my url appears like this:

http://localhost/pruebas/sesion.php?PHPSESSID=61ca9c60b10cc8f481ac9c1eacbee797

Is any way to hide the session number from there too?

if my version is later than 4.2 will ini_set('session.use_trans_sid', false); actually change anything?

Ciao amici miei! sono http://www.blog-buster.net

Ok thanks for pointing <i>that</i> out! added to my php.ini

I don't speak English, but thank you !!!!!!!

I have not slept in days looking for that instruction and it was here, thanks