News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

How to resolve PHPSESSID.

Started by recordset, November 27, 2010, 09:02:34 AM

Previous topic - Next topic

recordset

SMF 2.0 RC4

When Guest visit url


CSS url , image url incorrect


Sources/QueryString.php

search

if (empty($_COOKIE) && SID != '' && empty($context['browser']['possibly_robot']) && @version_compare(PHP_VERSION, '4.3.0') != -1)
$buffer = preg_replace('/"' . preg_quote($scripturl, '/') . '(?!\?' . preg_quote(SID, '/') . ')\\??/', '"' . $scripturl . '?' . SID . '&', $buffer);
// Debugging templates, are we?
elseif (isset($_GET['debug']))
$buffer = preg_replace('/(?<!<link rel="canonical" href=)"' . preg_quote($scripturl, '/') . '\\??/', '"' . $scripturl . '?debug;', $buffer);



Replace


if (empty($_COOKIE) && SID != '' && empty($context['browser']['possibly_robot']) && @version_compare(PHP_VERSION, '4.3.0') != -1){
//$buffer = preg_replace('/"' . preg_quote($scripturl, '/') . '(?!\?' . preg_quote(SID, '/') . ')\\??/', '"' . $scripturl . '?' . SID . '&amp;', $buffer);
// Debugging templates, are we?
}elseif (isset($_GET['debug'])){
$buffer = preg_replace('/(?<!<link rel="canonical" href=)"' . preg_quote($scripturl, '/') . '\\??/', '"' . $scripturl . '?debug;', $buffer);
}


www.lampanglife.com





Kindred

If this a question, a suggestion or what?   You post did not include any details other than your code snippet and so it is unclear what you are asking.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

BartB

Quote from: Kindred on December 03, 2010, 10:53:25 AM
If this a question, a suggestion or what?   You post did not include any details other than your code snippet and so it is unclear what you are asking.

He's not asking anything, he's giving us a solution (yay!) for a long-lasting problem that I too had with my forum:

If a user typed my site-URL and did not have a cookie set for my forum, he/she would see the URL in the address bar, with the dreaded additional ?PHPSESSID=blahblah.
Not all too bad, but the main problem was (in my case) that this resulted in an '500' Internal server error.

This has been mentioned a lot over the years that SMF exists now, and nobody really came with a solution other than "it's a server thing".

The code snippet in the first message IS indeed solving the problem. So I'm happy :) All I would want to know is: Is this solution a proper one, safe one, recommended one?

Kindred

that sessionID stuff is SECURITY...   just removing a line of code like that is ***NOT*** a "solution", it's a hack..    a hack which potentially leads to other problems.

If your site has problems with the sessionID, then you host/server is misconfigured.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

BartB

Ok. Gotcha. Repaired it again :)

Sigh. Now "all I need to do" is convince the hoster that they misconfigured the server. Usually teaching your cat to sing the national anthem is an easier task than that, but I'll try :)

Acans

I think we'll move this out of the bug reports board and to SMF Coding Discussion.
"The Book of Arantor, 17:3-5
  And I said unto him, thy database query shalt always be sent by the messenger of $smcFunc
  And $smcFunc shall protect you against injections and evil
  And so it came to pass that mysql_query was declared deprecated and even though he says he is not
  dead yet, the time was soon to come to pass when mysql_query shall be gone and no more

Masterd

As Kindred said, PHPSESSID is not a problem. Without this your forum will not function properly. There are many other topics where you can see that this is not a problem.

DoctorMalboro

Quote from: Masterd on January 10, 2011, 06:03:22 AMAs Kindred said, PHPSESSID is not a problem. Without this your forum will not function properly. There are many other topics where you can see that this is not a problem.

Specially when someone registers...

Kays

The line which is commented out in the OP adds &amp; to the PHPSESSID as a separator. I wonder if this is what is giving the problem. I can't get it to break the url on my test site but I have seen problems reported before. Just never know until now where the dreaded PHPSESSID was set up.

Try replacing it with a semi-colon. ";"


      $buffer = preg_replace('/"' . preg_quote($scripturl, '/') . '(?!\?' . preg_quote(SID, '/') . ')\\??/', '"' . $scripturl . '?' . SID . ';', $buffer);


It doesn't seem the break anything or produce errors.

If at first you don't succeed, use a bigger hammer. If that fails, read the manual.
My Mods

opensourcelounge

I just installed 2.0 RC4 and had the vary same problem. php.ini settings are

session.use_trans_sid = 0

and tried both 1 and 0 for
session.use_only_cookies boolean

It seems to be a bug to me.

Kindred

what is a bug? the fact that is displays a sessionID or the fact that your host is misconfigured for the use of ; and & in urls?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

opensourcelounge

Quote from: Kindred on January 14, 2011, 02:22:04 PM
what is a bug? the fact that is displays a sessionID or the fact that your host is misconfigured for the use of ; and & in urls?
Not a bug, just wanted to remove PHPSESSID from URL.

Can you please tell me what is the correct configuration? I can see the same PHPSESSID case with www.simplemachines.org. Open the site after deleting cookies, you'll see URLs like the following
http://www.simplemachines.org/community/index.php?P=af0fc27af4d184847c5508187e66f317&board=1.0
http://www.simplemachines.org/community/index.php?P=af0fc27af4d184847c5508187e66f317&board=19.0

Kindred

yes, sessionID is ***INTENDED*** to be in the url. It's a security measure. It's done on purpose and we're not going to tell you how to remove a purposeful security measure.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

opensourcelounge

Right. But it is widely said that appending a session id is a security risk.

Illori

where is it widely said? provide some proof of your claims

opensourcelounge

It is written in hxxp:www.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid [nonactive].

IchBin™

Quote from: opensourcelounge on January 14, 2011, 02:43:02 PM
Right. But it is widely said that appending a session id is a security risk.

That is why SMF removes the sessionID from the URL after only a couple of page loads. It's initially set for good reason. After you load a couple of more pages SMF no longer needs it set in the URL.
IchBin™        TinyPortal

opensourcelounge

Quote from: IchBin™ on January 14, 2011, 03:00:06 PMThat is why SMF removes the sessionID from the URL after only a couple of page loads. It's initially set for good reason. After you load a couple of more pages SMF no longer needs it set in the URL.
But this may cause of indexing a same page with different URLs by search engine crawlers (one with PHPSESSID and one without ID). And I think Googlebot does not accept cookies/sessions. I don't know whether this thing really create duplicate pages or not :-\.

IchBin™

I don't this is a problem. At least, I haven't seen anyone complain that they are getting duplicate URL's being indexed because of a session ID. If it is a problem, you can add a rule in the robots.txt file to circumvent this I'm sure.
IchBin™        TinyPortal

Kindred

it does not affect google in any way, because SF 2.0 uses the cannonical tags
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: