Bug #28900

All links have Parameter PHPSESSID at first load of website URL

Added by Manfred Langhammer over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Won't have this time
Category:
-
Target version:
-
Start date:
2011-08-10
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Since Typo3 4.5.4 if a website is called the first time in the browser (= php tries to set the session cookie PHPSESSID the first time) all links are appended wit a URL Parameter "?PHPSESSID=xxxx"
It seems that this is the "default" behaviour of php if php does not know if a session cookie could be set. However this does not happen if I change the Typo3 version of this website back to 4.5.3.
This happens without login in backend or frontend and with all browsers I testes (= Firefox, IE, Safari, Opera, Chrome)

Ways to reproduce:
1) Change typo3_src to 4.5.4
2) Delete all session cookies in the browser before loading the URL
3) Load the URL -> All links are appended with PHPSESSID parameter, after reload of the page the Parameter dissappears (as the cookie is set now), if I deactivate cookies the PHPSESSID Parameter is added permanently.
4) Change typo3_src to 4.5.3
5) Delete all session cookies in the browser before loading the URL
6) Load the URL -> NO PHPSESSID parameter

This is a big problem from my point of view because the links with the PHPSESSID also appear in search engine result links. And the HTML does not validate with this Link Parameters.

I found the following report of another user reporting this issue: http://old.nabble.com/after-typo3-upgrade-to-4.5.4-PHPSESSID-is-shown-in-browser-url-td32192989.html


Related issues

Related to TYPO3 Core - Bug #29274: Regression on session handling for security fixClosedHelmut Hummel2011-08-26

Actions
Related to TYPO3 Core - Bug #24456: Information disclosure during backend loginClosed2011-01-03

Actions
Has duplicate TYPO3 Core - Bug #29021: PHPSESSID is displayed in browser URLClosed2011-08-16

Actions
#1

Updated by Thorsten Kahler over 10 years ago

  • Status changed from New to Needs Feedback
  • Assignee set to Manfred Langhammer
  • Priority changed from Must have to -- undefined --

Hi Manfred, you probably have session.use_trans_sid enabled on your host. This setting appends the (newly generated) session ID to all links when it's unclear whether the clients supports cookies.

See PHP documentation

#2

Updated by Helmut Hummel over 10 years ago

  • Priority changed from -- undefined -- to Won't have this time

Indeed the session initialisation changed in 4.5.4.

But this is not the reason for the session id being set in the URLs.

Please check if you set

session.use_only_cookies

to true, which is recommended.

#3

Updated by Manfred Langhammer over 10 years ago

Hi and thx for the reply!

First I set session.use_only_cookies = 1 -> didn't help
Then I additionally set session.use_trans_sid = 0 -> PHPSESSID Parameter GONE with 4.5.4!!

Wondering why session.use_trans_sid = 1 is the default at my provider (domainfactory)

Whatever: Working since many years now with typo3 at domainfactory and never had this PHPSESSID parameter before - so I guess that something changed in 4.5.4 that needs these settings now. maybe this was set on the script level before?

#4

Updated by Susanne Moog over 10 years ago

  • Status changed from Needs Feedback to Closed

Closing this one as it is solvable by configuration. Other people with this problem will find the bug report and can solve it the same way.

Also available in: Atom PDF