Bug #28900

All links have Parameter PHPSESSID at first load of website URL

Added by Manfred Langhammer over 10 years ago. Updated over 10 years ago.

Won't have this time
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


Since Typo3 4.5.4 if a website is called the first time in the browser (= php tries to set the session cookie PHPSESSID the first time) all links are appended wit a URL Parameter "?PHPSESSID=xxxx"
It seems that this is the "default" behaviour of php if php does not know if a session cookie could be set. However this does not happen if I change the Typo3 version of this website back to 4.5.3.
This happens without login in backend or frontend and with all browsers I testes (= Firefox, IE, Safari, Opera, Chrome)

Ways to reproduce:
1) Change typo3_src to 4.5.4
2) Delete all session cookies in the browser before loading the URL
3) Load the URL -> All links are appended with PHPSESSID parameter, after reload of the page the Parameter dissappears (as the cookie is set now), if I deactivate cookies the PHPSESSID Parameter is added permanently.
4) Change typo3_src to 4.5.3
5) Delete all session cookies in the browser before loading the URL
6) Load the URL -> NO PHPSESSID parameter

This is a big problem from my point of view because the links with the PHPSESSID also appear in search engine result links. And the HTML does not validate with this Link Parameters.

I found the following report of another user reporting this issue: http://old.nabble.com/after-typo3-upgrade-to-4.5.4-PHPSESSID-is-shown-in-browser-url-td32192989.html

Related issues

Related to TYPO3 Core - Bug #29274: Regression on session handling for security fixClosedHelmut Hummel2011-08-26

Related to TYPO3 Core - Bug #24456: Information disclosure during backend loginClosed2011-01-03

Has duplicate TYPO3 Core - Bug #29021: PHPSESSID is displayed in browser URLClosed2011-08-16


Also available in: Atom PDF