[phplib] Session_id removed from URL on first page From: Jeroen Laarhoven (jeroen <email protected>)
Date: 07/04/00

When using sessions in cookie mode with GET fallback mode, a user that
accepts cookies will still get the Session_id in the URL of the first page
of a new session.

This causes problems:
- when this first page is bookmarked (the Session_id is also bookmarked);
- with (some) searchengine spiders (the Session_id will get in the index);

Below you find some code that solves this problem by asking the client for
another request for the page, then send without the session_id in the URL.
Result: you will no longer see any Session_id in the URL if you accept
cookies.

End-users:
=========

Copy this two functions in your extended sessions class in local.inc. This
function will then override the function release_token() in session.inc

PHPLIB developers:
================

Please review the code and if ok and agreed that it is an improvement, can
someone update session.inc in the CVS. I do not have CVS write access (and a
CVS client running).
The code is based on the 7.3 version of release_token() in session.inc.

Greetings
Jeroen.

THE CODE
=========

  function release_token( $sid = "" )

    global $HTTP_COOKIE_VARS, $HTTP_POST_VARS, $HTTP_GET_VARS,
$QUERY_STRING;

    if (isset($this->fallback_mode) && ('get' == $this->fallback_mode) &&
        ('cookie' == $this->mode)) {
      $cookie_set = isset($HTTP_COOKIE_VARS[$this->name]);
      $getpost_set = isset($HTTP_GET_VARS[$this->name]) ||
isset($HTTP_POST_VARS[$this->name]);

      if (!$cookie_set && !$getpost_set) {
        // none - first load of page : set cookie & get and ask for reload
        $this->get_id($sid); // generate session ID and setup cookie
        $this->mode = $this->fallback_mode; // to generate self_url()
including GET
        $this->ask_for_new_request(); // will exit !
      } elseif ($cookie_set && $getpost_set) {
        // both - second load of page : remove id from get and ask for
reload
        $this->get_id($sid);
        if ( isset($QUERY_STRING) )

          $QUERY_STRING = ereg_replace(
            '(^|&)'.quotemeta(urlencode($this->name)).'='.$this->id.'(&|$)',
            '\\1', $QUERY_STRING);
        }
        $this->ask_for_new_request(); // will exit !
      } elseif ($getpost_set) {
        // no cookie : go to fallback_mode
        $this->mode = $this->fallback_mode;
      }
    }
  }

  function ask_for_new_request( $url = '') {
    global $HTTP_HOST, $HTTPS;

    if (!$url) $url = $this->self_url();
    $PROTOCOL = (isset($HTTPS) && $HTTPS == 'on')? 'https' : 'http';
    // and you also need to fix suexec as well if you use Apache and CGI PHP
    header('Status: 302 Moved Temporarily');
    header("Location: $PROTOCOL://$HTTP_HOST$url");
    exit;
  }

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Jeroen Laarhoven, Zwolle, Netherlands
email: jeroen <email protected>
www: http://jeroen.polder.net
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>