PHPSESSID showing in url

[r-it]

i hav a problem with my website, the thing is when my page loads, it shows the session id in the url, i donno y this is happening, but its something like this: www.example.com?PHPSESSID=ce6462759be0d3584927cff7a8092bee. i'm afraid an attacker might use this to attack me, how would i go about not having it show there. it only shows the first time, after that, it's gone.

[Orio]

If you want to get rid of that, set session.use_trans_sid in your php.ini to 0.
If session.use_cookies is set to 0, set it to 1.

Orio.

[r-it]

i dont have control of the php.ini file. my host doesn't allow me to, so i did something like this:

[color=red]
<?php
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
session_start();
?>[/color]
and i store that as sess.inc

if i were to add this line:
ini_set('session.use_trans_sid', 0);

would all be well, and what does it mean

[r-it]

this dont work btw

[r-it]

*bump*

[Orio]

I think this will work:

[code]<?php
ini_set( 'session.use_cookies', 1);
ini_set( 'session.use_only_cookies', 1);
ini_set( 'session.use_trans_sid', 1);
session_start();
//rest of code
?>[/code]

Orio.

[r-it]

nope

[pnj]

One would suspect that if a commercial web server does not give you access to php.ini, they will also restrict your ability to dynamically change the settings that would be in that file, since this would be equivalent to having access to it...

What are the consequences of someone reading your session id from an http get?  Could php flag and reject a request from a session id that was established from a different ip?

[rajmohan]

it is possible without permisson can we able to access the php.ini file from the server.

if possible how???