Re: [phplib]duplitcated Session ID? From: Jeroen Laarhoven (jeroen <email protected>)
Date: 10/05/00

REPOST:

When using sessions in cookie mode with GET fallback mode, a user that
accepts cookies will still get the Session_id in the URL of the first page
of a new session.

This causes problems:
- when this first page is bookmarked (the Session_id is also bookmarked);
- with (some) searchengine spiders (the Session_id will get in the index);

Below you find some code that solves this problem by asking the client for
another request for the page, then send without the session_id in the URL.
Result: you will no longer see any Session_id in the URL if you accept
cookies.

End-users:
=========

Copy this two functions in your extended sessions class in local.inc. This
function will then override the function release_token() in session.inc

PHPLIB developers:
================

Please review the code and if ok and agreed that it is an improvement, can
someone update session.inc in the CVS. I do not have CVS write access (and a
CVS client running).
The code is based on the 7.3 version of release_token() in session.inc.

Greetings
Jeroen.

THE CODE
=========

  function release_token( $sid = "" )

    global $HTTP_COOKIE_VARS, $HTTP_POST_VARS, $HTTP_GET_VARS,
$QUERY_STRING;

    if (isset($this->fallback_mode) && ('get' == $this->fallback_mode) &&
        ('cookie' == $this->mode)) {
      $cookie_set = isset($HTTP_COOKIE_VARS[$this->name]);
      $getpost_set = isset($HTTP_GET_VARS[$this->name]) ||
isset($HTTP_POST_VARS[$this->name]);

      if (!$cookie_set && !$getpost_set) {
        // none - first load of page : set cookie & get and ask for reload
        $this->get_id($sid); // generate session ID and setup cookie
        $this->mode = $this->fallback_mode; // to generate self_url()
including GET
        $this->ask_for_new_request(); // will exit !
      } elseif ($cookie_set && $getpost_set) {
        // both - second load of page : remove id from get and ask for
reload
        $this->get_id($sid);
        if ( isset($QUERY_STRING) )

          $QUERY_STRING = ereg_replace(
            '(^|&)'.quotemeta(urlencode($this->name)).'='.$this->id.'(&|$)',
            '\\1', $QUERY_STRING);
        }
        $this->ask_for_new_request(); // will exit !
      } elseif ($getpost_set) {
        // no cookie : go to fallback_mode
        $this->mode = $this->fallback_mode;
      }
    }
  }

  function ask_for_new_request( $url = '') {
    global $HTTP_HOST, $HTTPS;

    if (!$url) $url = $this->self_url();
    $PROTOCOL = (isset($HTTPS) && $HTTPS == 'on')? 'https' : 'http';
    // and you also need to fix suexec as well if you use Apache and CGI PHP
    header('Status: 302 Moved Temporarily');
    header("Location: $PROTOCOL://$HTTP_HOST$url");
    exit;
  }

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Jeroen Laarhoven, Zwolle, Netherlands
email: jeroen <email protected>
www: http://jeroen.polder.net
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

----- Original Message -----
From: "Johnson, Kirk" <kjohnson <email protected>>
To: "'Jeroen Laarhoven'" <jeroen <email protected>>
Sent: Thursday, October 05, 2000 6:36 PM
Subject: RE: [phplib]duplitcated Session ID?

> Jeroen,
>
> Could you re-post your solution, please? Somehow I missed it the first
time
> around. Thanks! This has been a problem for me, as well.
>
> Kirk
>
> Kirk Johnson
> Bozeman, MT, USA
>
> -----Original Message-----
>
> This might also be caused by the fact that the first page of a session
> includes a Sid.
> If you bookmark this, or even worse a searchengine spider stores it in
it's
> DB ...
>
> you get others entering with THIS old sid.
>
> Some weeks ago I posted on this list (twice) a PHPLIB change that causes
the
> first page to refresh a third time, removing the sid from the URL (if
> cookies are allowed).
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>