Skip to main content

Disable session IDs passed via URL

URL based session management does not only have additional security risks compared to cookie based session management, but it can cause also real problems when search engines index your pages. Your visitors may send an URL that contains an active session ID to their friends or they may save the URL that contains a session ID to their bookmarks and access your site with the same session ID always. The same way your visitors can store URL's with sessions ID's, search engines may index them as well, this means new users will access your site with an older session ID. But not only that, most search engines want to provide relevant results for their users, so different pages (URL's) with the same content can be penalized or even banned.

We must all admit, SESSID or PHPSESSID added to the end of an URL doesn't look very nice and it's even not easy to remember. For this reason and all the above, you should disable URL based session management on your sites, and keep session ID's in cookies instead. Granted, if you disable session ID's in the URL, it can become a usability issue, because all visitors must have cookies enabled to make use of any code that requires sessions, like login scripts, but there are other ways to manage this internally.

The easiest way to prevent session ID's added automatically by PHP to all of your URL's, is to disable them system wide withing a .htaccess file. This file, containing one or more configuration directives that apply to that directory, and all subdirectories thereof.

Notice

Works only on Apache HTTP Server.

If you do not have a file called .htaccess in the root folder of your website, please create one and add following code to it:

php_value session.use_only_cookies 1
php_value session.use_trans_sid 0

Some server configurations won't allow you to change PHP settings within your .htaccess file. You can have the same result if you store the configuration to a regular PHP file, that you include (once) on top of all other script files of your website. Simply add following code to the file:

// PHP
if (function_exists ('ini_set'))
{
 //Use cookies to store the session ID on the client side
 @ ini_set ('session.use_only_cookies', 1);
 //Disable transparent Session ID support
 @ ini_set ('session.use_trans_sid',    0);
}
// PHP

An additional step is required if you already have indexed pages on
search engines with session ID's added to the URL's, or if you know
that people could have bookmarked them. You can do it even to simply
prevent this from happening. The same way the above, always included,
PHP file works, you can redirect pages with a session ID attached to
it's URL to the same page with no ID, and send a "301 Moved
Permanently" header. Sending this header, basic visitors won't notice
anything, but search engines will know next time they crawl your page
that the URL is wrong and moved to it's new location with no session ID
attached and update their listing. Either you include the above code to
the file or not, following code will help you a lot:

// PHP
//Determine current URL
$URL = 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

//Decode and clean URL
$URL = urldecode ($URL);
$URL = str_replace ('&', '&', $URL);

//Check if PHP is not in safe mode,
//and PHPSESSID is passed via URL
if (!ini_get ('safe_mode') && preg_match ('#'.session_name().'=([^=&\s]*)#i', $URL))
{
 //Remove PHPSESSID junk and unneeded characters ("&" or "?") at end of URL
 $URL = preg_replace ( array ('#(\?|&)'.session_name().'=([^=&\s]*)#', '#(&|\?)+$#'), '', $URL);
 //Send Moved Permanently header
 @ header ("HTTP/1.1 301 Moved Permanently");
 //Redirect to clean URL
 @ header ("Location: " . trim ($URL));
 //End current script
 exit();
}
// PHP

courtesy: http://www.frozenminds.com

Comments

Post a Comment

Popular posts from this blog

Financial Engineering

Financial Engineering: Key Concepts Financial engineering is a multidisciplinary field that combines financial theory, mathematics, and computer science to design and develop innovative financial products and solutions. Here's an in-depth look at the key concepts you mentioned: 1. Statistical Analysis Statistical analysis is a crucial component of financial engineering. It involves using statistical techniques to analyze and interpret financial data, such as: Hypothesis testing : to validate assumptions about financial data Regression analysis : to model relationships between variables Time series analysis : to forecast future values based on historical data Probability distributions : to model and analyze risk Statistical analysis helps financial engineers to identify trends, patterns, and correlations in financial data, which informs decision-making and risk management. 2. Machine Learning Machine learning is a subset of artificial intelligence that involves training algorithms t...
Post a Comment
Read more

Wholesale Customer Solution with Magento Commerce

The client want to have a shop where regular customers to be able to see products with their retail price, while Wholesale partners to see the prices with ? discount. The extra condition: retail and wholesale prices hasn’t mathematical dependency. So, a product could be $100 for retail and $50 for whole sale and another one could be $60 retail and $50 wholesale. And of course retail users should not be able to see wholesale prices at all. Basically, I will explain what I did step-by-step, but in order to understand what I mean, you should be familiar with the basics of Magento. 1. Creating two magento websites, stores and views (Magento meaning of website of course) It’s done from from System->Manage Stores. The result is: Website | Store | View ———————————————— Retail->Retail->Default Wholesale->Wholesale->Default Both sites using the same category/product tree 2. Setting the price scope in System->Configuration->Catalog->Catalog->Price set drop-down to...
Post a Comment
Read more

How to Prepare for AI Driven Career

  Introduction We are all living in our "ChatGPT moment" now. It happened when I asked ChatGPT to plan a 10-day holiday in rural India. Within seconds, I had a detailed list of activities and places to explore. The speed and usefulness of the response left me stunned, and I realized instantly that life would never be the same again. ChatGPT felt like a bombshell—years of hype about Artificial Intelligence had finally materialized into something tangible and accessible. Suddenly, AI wasn’t just theoretical; it was writing limericks, crafting decent marketing content, and even generating code. The world is still adjusting to this rapid shift. We’re in the middle of a technological revolution—one so fast and transformative that it’s hard to fully comprehend. This revolution brings both exciting opportunities and inevitable challenges. On the one hand, AI is enabling remarkable breakthroughs. It can detect anomalies in MRI scans that even seasoned doctors might miss. It can trans...
Post a Comment
Read more