getting rid of phpsessid

I'm reasonably new to PHP and need to find out how to turn off those pesky phpsessid variables that show up in the url from time to time. From my understanding you need to do it thru the php.ini file, but what if you don't have access to that file???

 

You might add this line of code to your .htaccess file:

php_value session.use_trans_sid 0

PHP:

 

thanks...seems to work

 

Will there be any implications if the phpsessid "cannot" be appended to the url? How will that affect session management?

 

I think that as long as the user has cookies enabled then the phpsessid is useless...can anyone verify this?

 

How come for the same website, using the same IE and same computer, accessing the same link - sometimes the phpsessid comes out in the url, sometimes not?

 

that I don't know....but I'd love to find out

 

You can use the following code to append Session id to the URL. I am not sure, but the parameter SID will either be empty or not (maybe depend on the PHP config and local computer?)

//
// Append $SID to a url. Borrowed from phplib and modified. This is an
// extra routine utilised by the session code above and acts as a wrapper
// around every single URL and form action. If you replace the session
// code you must include this routine, even if it's empty.
//
function append_sid($url, $non_html_amp = false)
{
//    global $SID; // Hai: if you specify an global SID
    $SID=SID;
//    $SID=$session_name.'='.session_id(); // Hai: use this to show SID always
    $session_name=session_name();

    if ( !empty($SID) && !eregi("$session_name=", $url) )
    {
        $url .= ( ( substr_count($url, '?') != false ) ?  ( ( $non_html_amp ) ? '&' : '&' ) : '?' ) . $SID;
    }

    return($url);
}

PHP:

 

It's the 21st century, I believe everyone has cookies enabled in their browser ...

 

Assuming you're using PHP 4.2.0 or later, PHP firstly checks for a session ID cookie and if that wasn't passed by the browser it amends the SID= onto any href, form action and similar to ensure that the session is always kept alive.

Usually by the second page the user hits this session ID cookie will be available so from that point on you won't see the SID= amended to anything. I have sometimes found this not to be absolutely strictly true, but generally it works. Prior to 4.2.0 you had to work out whether to add the session ID or not yourself.


If you want to turn it off on a per script basis rather than for any script affected by .htaccess, this isn't officially possible until PHP5. However if you add this to the top of the script it'll turn that off by telling PHP to amend SIDs to, well, nothing.

ini_set('url_rewriter.tags', ''); 

Code (markup):

The majority probably do, but there are still a significant number who don't have them on just like maybe 10% of the users don't have Javascript turned on (although there's more sense in that). Some are just ill-informed and some are paranoid....probably resulting from caffine overdoes!

Trev

 

I second that, I'm sometimes tempted to disable cookies when I've had too much coffee!

Re: ini_set(), keep in mind that some hosts have this function disabled (GoDaddy for example) -- probably for security reasons. So if you want your code to be portable, make it a habbit out of doing something like

$ok = @ini_set('blah', 'bleh');
if (!$ok) {
//...oops do something
}

 

Trev,
was your answer in response to this? I have cookies enabled and sometimes see the phpsessid. I've changed my htaccess file so they don't show now. This seems like a minor problem, but I really don't want the search engines to see the phpsessid. Thanks

 

Why on the first page the session id cannot be set to the cookie and need to be appended to the href and form action? - on the 2nd page and subsequent pages there is no problem assigning the session id to the cookie as the session id is not in hrefs anymore.

If we turned of PHPSESSID in .htaccess, will there be any problem when we want to use session in our scripts but the client's cookie is disabled?

 

Are you initializing the session after you output content to the browser?

No, but the spiders won't like it. You could remove the SESSIONID string from the URL if the user agent string matches a certain criteria (look for msnbot, yahoo, ia_archiver, googlebot and others you might find).

 

I have these 2 lines after some HTML tags (like tables, etc):
session_cache_limiter("");
session_start();

If I just turn of PHPSESSID, there will be problem using session on browsers with cookies turned off, right?

 

put those lines *before* you output any content to the client (including HTTP headers).
And yes, if you have PHPSESSID turned off and browser cookies off as well, sessions won't work.

 

Gmorkster, ok will try that. Thanks.