[SOLVED] PHPSESSID

[Northern Flame]

I am on shared hosting an have no access to my php.ini file so i

have been looking for alternatives on taking off the PHPSESSID

from my urls. Lately I have noticed that i only see PHPSESSID

on pages where i have session_start() AND no $_SESSION variables

have been set. if i set a random, meaningless $_SESSION variable,

will that get rid of PHPSESSID on my links?

[bryan52803]

Do you mean your URL's begin to look like "blah.php?PHPSESSID=as6d5afds56f5d6f5" ?

 

If so, you may be out of luck. If you can't modify your php.ini, then this is how the session ID must be persisted. If you remove this from the URL, you lose the data stored (or at least no longer know where to look for it). Thus, any time a session is started, whether or not session data is written, this will be affixed to your URLs. I'd recommend switched you hosting, or at least calling and asking to use your own php.ini

 

Bryan

[Northern Flame]

well like i said,

i've noticed that i see the PHPSESSID when no $_SESSION variable

has been established, im wondering if creating an $_SESSION variable

on all pages that have session_start() will take out the PHPSESSID

from my links

[bryan52803]

Well, like I said, if you start a session, you have a session ID, regardless of whether or not session data is written, period. So if you call session_start(), you're going to start propagating that ID. Since you have no access to your configuration file, this is done automatically and is necessary since cookies are not used. Without this, session data can not get from one page to the other, which really is the point of sessions to begin with. If you're insistent that setting a variable may work, then try it for crying out loud.

 

Bryan

[Northern Flame]

Well, like I said, if you start a session, you have a session ID, regardless of whether or not session data is written, period. So if you call session_start(), you're going to start propagating that ID. Since you have no access to your configuration file, this is done automatically and is necessary since cookies are not used. Without this, session data can not get from one page to the other, which really is the point of sessions to begin with. If you're insistent that setting a variable may work, then try it for crying out loud.

 

Bryan

 

lol im not saying it will solve it,

im wondering if it would,

i've noticed this a few times,

but dont know if its a coincidence or

if thats the way to do it,

thats why im asking....

 

and ill give it a try and see if it gets rid of

it then....

[quiettech]

This presents a security issue to you, as their customer. I'm sure they will be sensitive to your requests. Probably it's even an oversight and they didn't mean to leave session.use_cookies on 0.

 

If not, you should indeed write a strong letter and terminate your contract. Even if you are bound to more months under the contract terms, you can always terminate it if you claim security issues (no matter what the fine letters say!).

 

Meanwhile you may see the session id simple because session.auto_start is also enabled. WHich, in case it is, is yet another very poor choice of your host.

[Northern Flame]

well my host plan is running out in a month or two,

and then i plan to move to a dedicated server,

but for future reference, why is this a security issue?

[bryan52803]

This page might be useful to you: http://www.ragepank.com/articles/26/disable-phpsessid/

 

But in a nutshell, if a user shares their URL with someone else, or worse it's indexed or otherwise obtained, then that user's custom page where they're logged in or otherwise may be accessed by another user. There are other reasons I believe, but this is the most basic.

 

Bryan

[Northern Flame]

oh alright,

thanks for that!

[DyslexicDog]

If you are on an Apache server you might be able to set the cookies variable using a .htaccess file.

[quiettech]

If you link to external websites your webpage users risk leaving their sessionid on that external website referrer log. This has the potential of allowing someone else to access your website with that user credentials as long as the session is still active. It's also a source of many other SID based exploits.

 

There's no real solution I'm aware of. However, if you don't mind a user leaving to another website through a link on your own to also terminate the session, you can do the following.

 

- create a external.php file. All your external links will link here instead in the format external.php?dir=www.whatever.com

- Inside store the $GET['dir']

- kill the session with session_destroy()

- Unset the session id with unset()

- finally redirect to dir.

 

I believe this may disable passing along your session id. It also has the advantage of streamlining your external links for future uses.

 

 

EDIT: oops. too late.