session.use_only_cookies

Forum Moderators: coopster

Message Too Old, No Replies

session.use_only_cookies

URL's without session ID - no success with htaccess and ini_set

captainhannes

7:16 pm on Jul 22, 2003 (gmt 0)

Hi all!

Users can login at my site, but I want to avoid session ID's in the URL's due optimizing for search engines.

I already tried


ini_set("session.use_only_cookies", "on");
ini_set("session.use_only_cookies", "1");
ini_set("session.use_only_cookies", 1);

or in .htaccess


php_flag session.use_only_cookies on

but nothing works.
Any ideas why everything fails?
(I have only webspace, so I don't have access to php.ini)
(PHP4.1.2 on Linux)

Thank you all very much in advance!

Best regards,
Hannes.

ProfMoriarty

8:48 pm on Jul 22, 2003 (gmt 0)

Hello captain,

as written in the online manual:

session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Defaults to 0 (disabled, for backward compatibility). Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0.

So you can´t modify this setting with your PHP version.

See [php.net...] for further information.

Best,

Lars

captainhannes

4:53 pm on Jul 23, 2003 (gmt 0)

Thank you Professor :-)

I missed this little detail about the version somehow.

Currently I do not start the session when the reverse lookup of the IP matched to /google/, so this works quite fine, but it fails for other search engines.

Well, I think I must wait until my ISP upgrades the version to 4.3.0 ...

Thanks again!

All the best,
Hannes.

vincevincevince

4:55 pm on Jul 23, 2003 (gmt 0)

i guess you'll have to match the other search engines too i'm afraid...

or how about matching users? just match all the browsers you can think of - and add in X11, XP, ME, 98, MacOS etc... that should cover just about all human user's UA strings!

captainhannes

8:31 pm on Jul 23, 2003 (gmt 0)

Vince,

the UA idea is perfect! Thanks a lot! :-)

All the best,
Hannes.