Bookmark and Share
Check Google Page Rank Locations of visitors to this page
Click to get Free offers

Friday, October 10, 2008

Disable session IDs passed via URL

URL based session management does not only have additional security risks compared to cookie based session management, but it can cause also real problems when search engines index your pages. Your visitors may send an URL that contains an active session ID to their friends or they may save the URL that contains a session ID to their bookmarks and access your site with the same session ID always. The same way your visitors can store URL's with sessions ID's, search engines may index them as well, this means new users will access your site with an older session ID. But not only that, most search engines want to provide relevant results for their users, so different pages (URL's) with the same content can be penalized or even banned.

We must all admit, SESSID or PHPSESSID added to the end of an URL doesn't look very nice and it's even not easy to remember. For this reason and all the above, you should disable URL based session management on your sites, and keep session ID's in cookies instead. Granted, if you disable session ID's in the URL, it can become a usability issue, because all visitors must have cookies enabled to make use of any code that requires sessions, like login scripts, but there are other ways to manage this internally.

The easiest way to prevent session ID's added automatically by PHP to all of your URL's, is to disable them system wide withing a .htaccess file. This file, containing one or more configuration directives that apply to that directory, and all subdirectories thereof.


Works only on Apache HTTP Server.

If you do not have a file called .htaccess in the root folder of your website, please create one and add following code to it:

php_value session.use_only_cookies 1
php_value session.use_trans_sid 0

Some server configurations won't allow you to change PHP settings within your .htaccess file. You can have the same result if you store the configuration to a regular PHP file, that you include (once) on top of all other script files of your website. Simply add following code to the file:

// PHP
(function_exists ('ini_set'))
//Use cookies to store the session ID on the client side
@ ini_set ('session.use_only_cookies', 1);
//Disable transparent Session ID support
@ ini_set ('session.use_trans_sid', 0);
// PHP

An additional step is required if you already have indexed pages on
search engines with session ID's added to the URL's, or if you know
that people could have bookmarked them. You can do it even to simply
prevent this from happening. The same way the above, always included,
PHP file works, you can redirect pages with a session ID attached to
it's URL to the same page with no ID, and send a "301 Moved
Permanently" header. Sending this header, basic visitors won't notice
anything, but search engines will know next time they crawl your page
that the URL is wrong and moved to it's new location with no session ID
attached and update their listing. Either you include the above code to
the file or not, following code will help you a lot:

// PHP
//Determine current URL

//Decode and clean URL
$URL = urldecode ($URL);
$URL = str_replace ('&', '&', $URL);

//Check if PHP is not in safe mode,
//and PHPSESSID is passed via URL
if (!ini_get ('safe_mode') && preg_match ('#'.session_name().'=([^=&\s]*)#i', $URL))
//Remove PHPSESSID junk and unneeded characters ("&" or "?") at end of URL
$URL = preg_replace ( array ('#(\?|&)'.session_name().'=([^=&\s]*)#', '#(&|\?)+$#'), '', $URL);
//Send Moved Permanently header
@ header ("HTTP/1.1 301 Moved Permanently");
//Redirect to clean URL
@ header ("Location: " . trim ($URL));
//End current script
// PHP

View blog reactions

No comments: