Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

&PHPSESSID Added to Hyperlinks!

Posted on 2004-11-19
15
Medium Priority
?
460 Views
Last Modified: 2008-01-09
Whenever I add session_start(); to the top of my webpage in order for some code that uses Sessional Data to work the following is appended to all my hyperlinks in the GET area:

&PHPSESSID=4c56db88889c27838f4b54f7408d63

So for example a link to 'page.php' would now look like this:

<a href="page.php?my_var=something&PHPSESSID=4c56db88889c27838f4b54f7408d63">Click Here</a>

Why is PHP adding this 'PHPSESSID' variable to my links when I use session_start(); ?

I don't want this behaviour because it is failing my W3C HTML Validation.

Here's what my PHP looks like:

<?
# Page Information Comments

session_start();

# Rest of Code here
?>

The session_start function call is the first line (after some comments).

I notice if I remove the line session_start(); the PHPSESSID variable dissapears, but at the same time my Sessional Code stops working.

How can I use sessions but stop the PHPSESSID rubbish?
0
Comment
Question by:russelldav
  • 6
  • 2
  • 2
  • +4
15 Comments
 
LVL 20

Expert Comment

by:virmaior
ID: 12629784
These three lines determine the session behavior:

session.use_cookies
session.use_only_cookies
session.use_trans_sid

what you are seeing are trans_sid's

if you have use_cookies set to 0 and use_trans_id set to 1 then you would see them

Normally use_cookies is set to 1 and trans_id only happens when a cookie cannot be placed

(using sessions places a cookie with the session ID on the end user's computer)

see:
http://us2.php.net/manual/en/ref.session.php
0
 

Author Comment

by:russelldav
ID: 12630465
What do I need to do to replace session_start(); then?
0
 
LVL 48

Accepted Solution

by:
hernst42 earned 600 total points
ID: 12630587
no you don't need to modify start_session. Just do a
session_start();
ini_set('session.use_trans_sid', '0');

on the pages you don't want the PHPSESSID to be added.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:russelldav
ID: 12630611
My PHP now says:

<?
# Setup Session
session_start();
ini_set('session.use_trans_sid', '0');

....
?>

Yet I still see the &PHPSESSID appended to hyperlinks ?
0
 
LVL 6

Expert Comment

by:jkna_gunn
ID: 12630666
one way to stop it is by have absolute links so if you have a link to index :

<a href="index.php">Index</a>

it becomes

<a href="http://www.yoursite.com/index.php">Index</a>

0
 

Author Comment

by:russelldav
ID: 12630711
I'll experiment with absolute links. In the meantime if anyone else has a way of stopping it I'd appreciate it!
0
 
LVL 13

Expert Comment

by:StormyWaters
ID: 12631387
PHPSESSID will be added to the URL if the user has cookies disabled or you set it to never attempt to use cookies.

See here: http://us2.php.net/session for more information.

You can use ini_set("session.use_only_cookies", "1"); but that might prevent users without cookies from using your site.

Check your configuration settings in PHP.INI. Maybe you have disabled session.use_cookies, in which case it would only attempt to append it to the URL.
0
 

Author Comment

by:russelldav
ID: 12634208
I checked the configuration and session.use_cookies is ON.

I don't want to change links so that they are absolute, I prefer to use Relative links.

Here's a snippet from the Configuration (Values are the same for Local and Master):

+ + Session

session.auto_start Off
session.name PHPSESSID
session.referer_check no value
session.save_handler files
session.save_path /tmp
session.serialize_handler php
session.use_cookies On
session.use_only_cookies Off
session.use_trans_sid On

+ + PHP Variables

_REQUEST["PHPSESSID"] 97abc84309d2b3d7c93b89dd4af724d5
_COOKIE["PHPSESSID"] 97abc84309d2b3d7c93b89dd4af724d5
_SERVER["HTTP_COOKIE"] PHPSESSID=97abc84309d2b3d7c93b89dd4af724d5

I don't know if this helps you at all?

0
 
LVL 20

Expert Comment

by:virmaior
ID: 12634214
if it can't set the cookie then it will automatically use the trans sid (put the id in the url)
see if you still get sessions when you set
session.use_trans_sid Off

I don't think using ini_set works on this one, because you'll be sending the trans id before you initiate the page parsing.
0
 
LVL 10

Expert Comment

by:eeBlueShadow
ID: 12635990
To get the behaviour W3C compliant, simply open php.ini and change

arg_separator.output = "&"
to
arg_separator.output = "&amp;"

PHP will still add the session ID, which is useful for functionality, but your pages will now validate.

_Blue
0
 
LVL 1

Expert Comment

by:hallvors
ID: 12637978
This didn't work:

# Setup Session
session_start();
ini_set('session.use_trans_sid', '0');


What about reversing the order? Perhaps the ini-value must be set before the session is initiated.

ini_set('session.use_trans_sid', '0');
session_start();


Anyway, I agree that changing the separator to &amp; is a better solution because it allows sessions to work even if the visitors turn off cookies.
0
 

Author Comment

by:russelldav
ID: 12640236
I tried moving the ini_set() so it was BEFORE the session_start() but the problem is still there. I'm still not keen on changing the configuration file - Non-standard configurations usually mean someone is doing something in a way that could be done a lot better.  

Is there another work around for this?

If only I didn't have W3C Validation as a requirement :P
0
 

Author Comment

by:russelldav
ID: 12640286
Work around by adding the following line to the server's .htaccess file:

php_value session.use_trans_sid Off
0
 
LVL 13

Expert Comment

by:StormyWaters
ID: 12640299
>> Non-standard configurations usually mean someone is doing something in a way that could be done a lot better.  

Or it means that you're just doing something that their default config file doesn't do...
0
 
LVL 10

Expert Comment

by:eeBlueShadow
ID: 12643208
> If only I didn't have W3C Validation as a requirement :P

Like I said, you *can* have working sessions and W3C validation, aall you have to do is change the arg_separator.output value in php.ini.

At the moment, people who don't accept cookies can't use your website.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses
Course of the Month20 days, 20 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question