How to avoid the PHPSESSID in URLs?

Submitted on Wed, 2006-04-05 13:26

  • Configuring PHP settings overview

    Note that all PHP session related parameters are marked as PHP_INI_ALL. That means these values can be specified in the files php.ini, httpd.conf, .htaccess or even using the function ini_set in scripts.

    For the purpose of this document, it is used the syntax for .htaccess files (per directory settings) or httpd.conf (global server or per virtual host settings), if you have access to them. If you need to use an .htaccess file, you should use the one located in the main directory of the application itself (often the document root of the domain). You can create it, if you don't have one already. Note that some hosting providers may have these options restricted. If in doubt, try asking them.

    If you need to check the current PHP settings that may affect your application, you can do so by invoking the function phpinfo like this: create a file named (say) phpinfo.php with the following contents and upload to the main directory of the application.

    <?php
    phpinfo    ();
    ?>

    ...and point your browser to it. Remeber to remove that file when done. Keeping it there may reveal critical information to 3rd parties. It is so simple that's easy to recreate when necessary.

    The syntax to define a PHP parameter in an .htaccess file is as follows:

    php_value variable_name value

    For boolean parameters, the following syntax is also accepted:

    php_flag variable_name on|off

    Depending on your server configuration, you may not have permission to use .htaccess files. In that case, if you don't have access to the php.ini file either (where the syntax is often explicit with examples) then you may need to modify a script which is part of the application to enter PHP settings using the function ini_set. You may look at the manual for the actual syntax and/or ask for support to the application developers to know the proper script to use for this purpose. Ideally, it should be on top of a single script that is loaded for any request.

  • About the PHPSESSID

    PHPSESSID stands for "PHP SESSion IDentifier". It is the default value for the variable used to store/transfer the session id. This value can be changed with the option session.name and, in fact, it might be necessary to do so, depending on your particular needs, as we'll see later.

  • Avoiding the PHPSESSID in URLs

    The following settings will make PHP use cookies (and only cookies) to transfer the session id to the browser (or retrieve from). That is, the PHPSESSID will never be appended to URLs and, what's of our particular interest, it will never be read from URLs (or POST variables). The one caveat is that users will need support for cookies to access certain features of your web site (login, etc.). The benefit is that no one will be able to fix a session identifier by passing a simple URL. Of course, they could still fix/hijack a session accessing the cookies, but that job is much harder. Please, see the references section in previous page.

    php_flag session.use_cookies on
    php_flag session    .use_only_cookies on
    php_flag session    .use_trans_sid off
    php_value url_rewriter    .tags ''

‹ Setting up PHP Sessions?upSetting up session cookies ›
» login to post comments | google about it! | delicious | digg | reddit | furl | google | yahoo | technorati