Why You Should Disable PHP's session use_trans_sid
PHP will add a unique PHPSESSID query pair to URIs within your site if cookies are not available and session.use_trans_sid is set. While this helps people who do not accept cookies, search engines will rank your site low.
Why should I care
With the release of PHP version 4.2.0 you don't need to configure PHP with --enable-trans-sid to have transparent session support, this means that a lot more hosts will have it.
Without this feature you can usually choose between sending cookies to the visitor and modifying the URLs, with cookies being the default setting. Cookies do no harm (most of the time) but appending a query string to all URLs is quite different.
Search engines
When search engines crawl your site usually they won't remember sent cookies so PHP will modify the links for them. As a result of that the links to your site at Google will always have a query string with the session attached to them, besides the fact that they will look bad search engines will crawl less of your site and you don't want that with search engines being the most popular way for people to find a site.
What's more they may even consider your site as mirroring itself when they got different sessions appended. This looks to search engines as if different pages have exactly the same content, and they will lower your rank or even ban it.
XHTML 1.0 Strict or XHTML 1.1 validation
If you have forms and have left the default settings for the rewritable tags PHP will also add a hidden input to forms on your site but does that in such a way that your code cannot validate as XHTML 1.0 Strict or XHTML 1.1.
How do I deal with that
You can disable that feature via a .htaccess file or directly from PHP code.
For a .htaccess file you should add the following line:
php_flag session.use_trans_sid off
And in PHP code:
ini_set('session.use_trans_sid', false);
Delicious
Digg
Reddit
Technorati
Comments
PHPSESSID hidden field automaticinseted into forms
remeber to call
ini_set('session.use_trans_sid', false);
before
session_start();
www.isomorphicnet.com
making links absolute rather then relative
I've done the ini_set on my site, but it still seems to place the sessionid in the url for relative links -- say [a href="/page.php"], it will still change it even when I reset the trans_sid to false (before the session_start()).. So, I've made them absolute links and this seemed to resolve the issue..
turn url_rewriter.tags off
ini_set('session.use_trans_sid', false); won't help,
but
ini_set("url_rewriter.tags","");
does
Forget everything but htaccess
<IfModule mod_php4.c>
php_flag session.use_trans_sid off
</IfModule>
This page (and Martin Tsachev) saved my day, or rather my week.
I've been working pretty hard to get those damned sessionids out of the url.
The versions of PHP-environments I currently work in are 4.3.2 and 4.3.3. No matter what the manuals say, the ini_sets session.use_only_cookies and session.use_trans_sid have failed. And url_rewriter.tags simply disables session-starting at all.
Before these endeavours I spend some time contructing complicated sequences of header- and refresh-redirects, until I picked up that the session simply dies during a redirect (unless you write ?PHPSESSID=$PHPSESSID into the executing urls, obviously getting nowhere in the attempts to get rid of the sh..).
But the .htaccess-expression does the trick.
Hooray!
Thanks jfmsimplecomplex
That was exactly what i needed to see.
I wasn't sure how to write it in the .htaccess file.
You couldn't have made it clearer.
Hooray Indeed :)
PHP session IDs and google
I finished developing my site before fully understanding the google-monster.
I was really worried about turning my SESSION IDs off in case my real customers had dropped sessions, or didn't have cookies enabled. So.... I am trying the following in an attempt to get google and the only other webcrawler on my site to have a good root round by turning the URL rewriter tags only for these user agents.
I've done this by checking the HTTP_USER_AGENT as follows BEFORE any session_start() command:
if(strpos($_SERVER['HTTP_USER_AGENT'],"google")!==false or strpos($_SERVER['HTTP_USER_AGENT'],"MSIECrawler")!==false)
{
ini_set("url_rewriter.tags","");
}
Hope this is of use to those folks stuck up the same tree I was,
Astronaut Pete
PS how about making the add comments box a bit bigger???!!
What about IIS Servers?
IIS does not use a .htaccess file. What do we do for this?
Turn this off in php altogether...
Find 'session.use_trans_sid' in your php.ini file and make sure it's set to 0, i.e. 'session.use_trans_sid = 0'. This is off by default in PHP Version 4.3.4, I don't know about other versions, sorry.
php sessions & search engines
or you could just use the user agent string with get_browser(); to exclude search engines from being assigned any of the session features. this could be a better approach as then anyone using non-cookie enabled browsers will still be able to enjoy your site and buy your products
runtime control of trans_sid
Using
ini_set('session.use_trans_sid', false);
will NOT work if you are using PHP as a compiled-in module to Apache (and possibly other servers). BUT(!) Martin and Astronaut Pete are correct in suggesting
ini_set("url_rewriter.tags","");
because that is a RUNTIME modifiable string. This allows trans_sid to do its thing, but it doesn't have any "thing" to do.
Result: runtime control of trans_sid for people using complied in PHP modules.
hth
create directory [drive]:\tmp first
[drive] should be the drive you've got your files on
YOU......................
............BEAUTY!!!!!!!!
I will recommend this page to everyone I know (who also has PHP session problems).
help
Hi All,
I'm currently running my php script on linux server. I have the similar problem as "dejen" mentioned above.
It there any posibilty to change "session_save_path=/tmp" to window environment (client) "session_save_path="c:\tmp"
Please advisse me if any mistake that I mentioned above.
Thanks!
Session id
How can I pass a session ID to a page without using cookies?
I know that I can pass it through the URL, but how can I prevent other to see it in the URL?.
Another solution for XHTML
As far as XHTML validation is concerned, another nice solution with the added advantage that it doesn't disable the trans_sid functionality itself is:
ini_set('arg_separator.input','&');
ini_set('arg_separator.output','&');
It simply changes the invalidating ampersant from & to &, solving the problem! This is also a good solution if ini_set('session.use_trans_sid','0') doesn't work but you don't want to/can't temper with .htaccess files.
~Grauw
Session id in forms
I do want session ID to work in the members only section of my site, and want to pass the ID through an html form. I use ?session_name=session_ID. at the end of URLs, but what should I put in the Form?
Thanks
Session id in forms
put <input type="hidden" and name = "session_name" and value = "<? echo $session_Id; ?>">
something like that
This is just not working for me...
I have this in the first lines of my php code:
//Session ID should not be added to URL's
ini_set('session.use_trans_sid', false);
ini_set("url_rewriter.tags","");
My .htaccess file is:
php_flag session.use_trans_sid off
IndexIgnore *
And it just doesn't work... At my home test server it does, but in the production server it doesn't...
Production server phpinfo: http://www.websitefacil.com/info.php
php session with client re-direction
Hi,
I'm trying to use php session in my site. It works fine when I re-direct pages from server side (require). But if if re-redirect to a page from clint side (using javascript) next page cannont access my session variables!! can any one help me pls..
chami
PHPSESSID and Google not a problem?
I don't think this is a problem any more with Google. Google doesn't show the sessid in their serps although the actual link still contains it. I came across many pages with decent PageRank which had a sessid. ref.: http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=deskbar&q=inurl%...
The one think i'm unsure of is maybe the pages i looked at are doing something special that i don't know about..testing to see if the user is a googlebot, for example, AND another thing actually is i am not sure if it affects how deep google crawls their site. Someone could test that by running site: on a particular site and their running a link tester (w/ their permission) and comparing the total links from the link tester with google's site: value.
Session change & and dont go through pages
Hi, I am relative new to php. I was learning php about a month. I have a problem with the sessions that I guess is something in my php.ini, but I am not sure. I have APACHE-PHP-MYSQL server, and I upgrade to PHP 5.02 trying to get the sessions work, but was futile.
I try this code:
<?php
session_start();
//session_register('contador');
session_name('misesion');
printf ("Actual Session is: ".session_id()."<br>");
echo '<a href="'.$PHP_SELF.'?'.SID.'">Counter SID is: '.++$_SESSION['contador'].'</a><br>';
echo '<a href="'.$PHP_SELF.'?'.$PHPSESSID.'">Counter PHPSESSID is: '.++$_SESSION['contador']. '</a><br>';
echo 'Session name is '.session_name().' and the session '.$_REQUEST[misesion].'<br>';
echo '<a href="sesion2.php?SID">With SID</a><br>';
echo '<a href="sesion2.php?$PHPSESSID">With PHPSESSID</a><br>';
?>
With the Counter SID the session goes normally, with the Counter PHPSESSID, the session resets each time. Dont get it.
Then, never gives me $_REQUEST[misesion] (I change to $misesion and $_SESSION[misesion]) and nothing.
But the real problem is that when I send to sesion2.php the session_id() shows me that a new session open, with SID or PHPSESSID. In that way I cant maintain the sesion through pages, what can I do or what I am doing wrong?
Other thing, is that when I hit the Counter SID, my url appears like this:
http://localhost/pruebas/sesion.php?PHPSESSID=61ca9c60b10cc8f481ac9c1eac...
Is any way to hide the session number from there too?
ini_set('session.use_trans_sid', false);
if my version is later than 4.2 will ini_set('session.use_trans_sid', false); actually change anything?
ini_set("url_rewriter.tags","");worked for me!!!! Thanks so much, my XHTML 1.1 strict now validates using sessions.Thanks. Exactly what I needed! Worked like explained.
[...] Ds in URLs stoßen, von ästhetizierenden Webmastern gar nicht erst zu sprechen. U.a. ein Blogeintrag von Martin Tsachev beschreibt, wie man sich dieser u [...]
If you prefer to use url rewriting for your sessions, but wish to make your site search engine friendly, this code works well.
$br = get_browser();
if (!($br->crawler))
{
session_start();
... any session-related code
}
To use the function get_browser() you may need to get browscap.ini, which you can get from here: http://www.garykeith.com/browsers/downloads.asp .
[...] e further investigation into Google not indexing my site past the front page, I found this article. Apparently the Googlebot may not like PHP sessions and [...]
I think it can be done with robot.txt
User-agent: Googlebot
Disallow: /*PHPSESSID
In Google sitemap BETA I can see 10 URLs restricted by robots.txt , and
that is with the above robot text. So i guess that might do the trick,
what do you think is this and indication that the above robot text is
egnoug?
I tried this solution in .htacess file
php_value session.use_only_cookies 1
php_value session.use_trans_sid 0
and not long after I had a coustomer complaining that my site no longer works.
what is the difference between php_value session.use_trans_sid and php_value session.use_only_cookies ? Will php_value session.use_trans_sid 0 disaple cookies all the time? and is that not problematic?
[...] This saves me a lot of time since I can focus on the design aspects and ignore most of the tedious stuff. In fact I’m completely satisfied with this solution, I’ve even written the rewrite rules so that our URL’s all look pretty and are SEO’ed (Search Engine Optimized). The thing I am not satisfied with is that under certain circumstances a vistor would get a url that has something like ?PHPSESSID=5ab080e5cff5dc130f9bec234b stuck to the end of it. Boy is that ugly. It also hurts our ranking in search engines. But there is a fix and it is very simple. [...]