Disable session IDs passed via URL

URL based session management does not only have additional security risks compared to cookie based session management, but it can cause also real problems when search engines index your pages. Your visitors may send an URL that contains an active session ID to their friends or they may save the URL that contains a session ID to their bookmarks and access your site with the same session ID always. The same way your visitors can store URL’s with sessions ID’s, search engines may index them as well, this means new users will access your site with an older session ID. But not only that, most search engines want to provide relevant results for their users, so different pages (URL’s) with the same content can be penalized or even banned.

We must all admit, SESSID or PHPSESSID added to the end of an URL doesn’t look very nice and it’s even not easy to remember. For this reason and all the above, you should disable URL based session management on your sites, and keep session ID’s in cookies instead. Granted, if you disable session ID’s in the URL, it can become a usability issue, because all visitors must have cookies enabled to make use of any code that requires sessions, like login scripts, but there are other ways to manage this internally.

The easiest way to prevent session ID’s added automatically by PHP to all of your URL’s, is to disable them system wide withing a .htaccess file. This file, containing one or more configuration directives that apply to that directory, and all subdirectories thereof.

If you do not have a file called .htaccess in the root folder of your website, please create one and add following code to it:

php_value session.use_only_cookies 1 php_value session.use_trans_sid 0

Some server configurations won’t allow you to change PHP settings within your .htaccess file. You can have the same result if you store the configuration to a regular PHP file, that you include (once) on top of all other script files of your website. Simply add following code to the file:

<?php if (function_exists (‘ini_set’)) { //Use cookies to store the session ID on the client side @ ini_set (‘session.use_only_cookies’, 1); //Disable transparent Session ID support @ ini_set (‘session.use_trans_sid’, 0); } ?>

An additional step is required if you already have indexed pages on search engines with session ID’s added to the URL’s, or if you know that people could have bookmarked them. You can do it even to simply prevent this from happening. The same way the above, always included, PHP file works, you can redirect pages with a session ID attached to it’s URL to the same page with no ID, and send a “301 Moved Permanently” header. Sending this header, basic visitors won’t notice anything, but search engines will know next time they crawl your page that the URL is wrong and moved to it’s new location with no session ID attached and update their listing. Either you include the above code to the file or not, following code will help you a lot:

<?php //Determine current URL $URL = ‘http://’.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; //Decode and clean URL $URL = urldecode ($URL); $URL = str_replace (‘&’, ‘&’, $URL); //Check if PHP is not in safe mode, //and PHPSESSID is passed via URL if (!ini_get (‘safe_mode’) && preg_match (‘#’.session_name().‘=([^=&\s]*)#i’, $URL)) { //Remove PHPSESSID junk and unneeded characters (“&” or “?”) at end of URL $URL = preg_replace ( array (‘#(\?|&)’.session_name().‘=([^=&\s]*)#’, ‘#(&|\?)+$#’), ”, $URL); //Send Moved Permanently header @ header (“HTTP/1.1 301 Moved Permanently”); //Redirect to clean URL @ header (“Location: “ . trim ($URL)); //End current script exit(); } ?>

If you already have indexed pages on search engines, the update can take some time, specially on Google. It will happen in time, you can’t expect results within minutes. Maybe Yahoo! and MSN will update their index sooner, Google however needs more. It’s worth to do it, you won’t have just clean and aesthetic URL’s, but also better search positions and higher Pagerank if you are lucky. The redirect to your clean URLs is done dynamically, that’s why we use PHP, it’s not hard coded and does not require to update all files like most other solutions available on the internet.

Comments