By iraszl on

What am I doing wrong? Is this a Drupal setting issue or a hosting PHP issue. I'm on Dreamhost.com

Sometimes the urls look like this:
http://creativebits.org/toolbox/make_your_mac_a_bluetooth_zombie?PHPSESS...

instead of:
http://creativebits.org/toolbox/make_your_mac_a_bluetooth_zombie

Comments

Jaza’s picture

Jaza commented

Drupal is meant to take care of this, by using the ini_set() function to configure your site's PHP settings. But this doesn't seem to have any effect with my host, and other people probably have the same problem.

You can fix this by creating a php.ini file in your root Drupal directory, with the following two lines:

session.use_trans_sid=0
session.use_only_cookies=1

If that doesn't work, try doing it in your .htaccess file instead (but don't have a php.ini and a .htaccess with these settings at the same time), by finding these lines and changing them as follows:

# Override PHP settings. More exist in sites/default/settings.php, but
# the following cannot be changed at runtime. The first IfModule is
# for Apache 1.3, the second for Apache 2.
<IfModule mod_php4.c>
  php_value session.use_trans_sid                0
  php_value session.use_only_cookies                1
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
</IfModule>

<IfModule sapi_apache2.c>
  php_value session.use_trans_sid                0
  php_value session.use_only_cookies                1
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
</IfModule>

By the way, I've always admired CreativeBits, as a site that has a sexy design, intuitive usability, and interesting content. Overall, one of the flagship examples of a great Drupal site. I would hate to see such a cool site troubled by this very uncool (and unfortunately very common) URL problem.

Jeremy Epstein - GreenAsh

Jeremy Epstein - GreenAsh

kbahey’s picture

kbahey commented

This is solved by the parameters: use_trans_sid and user_only_cookies.

But the answer is not simple. It depends on how your host handles things:

If they are using PHP SuExec, then this goes to a file called php.ini

 session.use_trans_sid = 0
 session.use_only_cookies = 1

If they are not using this, then you put the following in .htaccess

  php_value session.use_trans_sid 0
  php_value session.use_only_cookies 1

I pushed hard to get 4.6 changes so these parameters in the settings.php file (via ini_set() calls), but they do not take effect all the time.

The web host maybe preventing the override of certain variable. I was only able to get it working in .htaccess, although several months ago, it was php.ini that did the trick. Web hosts change things all the time.

--
Drupal Customization and Development consulting: 2bits.com
Personal webite: Baheyeldin.com

--
Drupal performance tuning and optimization, hosting, development, and consulting: 2bits.com, Inc. and Twitter at: @2bits
Personal blog: Ba

djnz’s picture

djnz commented

Many hosts will not allow php_value in .htaccess, and ini_set will not work with session.use_trans_sid. Fortunately, there is an easy workaround.

--------------------- WEBg8 ---------------------

iraszl’s picture

iraszl commented

I've tried to edit php.ini .htaccess and the settings file according the workaround and I'm still getting the phpsessions.

I contacted Dreamhost customer service and they replied immediately:

> If have a problem with following php settings:
> session.use_only_cookies Off Off
> session.use_trans_sid On On
>
> It should be the opposite, like this:
> session.use_only_cookies On Off
> session.use_trans_sid Off On
>
>
> I edited the php.ini file to change the setting:
> session.use_trans_sid=0
> session.use_only_cookies=1
>
> Also I tried to add this to .htaccess:
> php_value session.use_trans_sid 0
> php_value session.use_only_cookies 1
>
> But still can't override the default settings.
>
> It's very important because I'm getting page not found messages on my
> site because of this setting.
>

Unfortunately we cannot change these settings for you in our global
configuration files. If you need to have these settings you will have to
compile PHP yourself, here are some instructions to get you going:

https://panel.dreamhost.com/kbase/index.cgi?area=2538

Does this make sense? Do I really need to do that? I can't believe that I'm the only person running a Drupal site on Dreamhost having this issue.

djnz’s picture

djnz commented

If you have ini_set('url_rewriter.tags', ''); in settings.php then PHP should not generate any session IDs.

I have taken a look at your site with cookies disabled and I don't get any session IDs in the url - are you sure you still have a problem?

Or is it just the redirection issue raised below?

--------------------- WEBg8 ---------------------

laura s’s picture

laura s commented

On Dreamhost as well as Site5. However, I see the session ID only on the page load immediately after saving a setting or new post. If I click on any link from there, the ID disappears. Why this would happen, I'm not sure.

===
Laura
pingV

_____ ____ ___ __ _ _
Laura Scott :: design » blog » tweet

djnz’s picture

djnz commented

Removing the session ID in the redirect after saving settings etc. is slightly harder - you need to modify common.inc at

if (ini_get('session.use_trans_sid') && session_id() && !strstr($url, session_id())) {

Alter the above so that the test always fails:

if (false && ini_get('session.use_trans_sid') && session_id() && !strstr($url, session_id())) {

will do. But this URL is only ever used in a redirect using a HTTP Location:, it is never presented in a web page so there is not really a need to 'fix' it IMHO.

--------------------- WEBg8 ---------------------

laura s’s picture

laura s commented

Is that someone posts something, then goes straight to another site. Then that person on that site sees the url and session ID in their referrers log. One time and one time only I ended up in the admin section of a Drupal site after clicking on a link in the logs that included a session ID. This was many moons ago, so I'm not sure if that vunerability was fixed, was a fluke, or what.

===
Laura
pingV

_____ ____ ___ __ _ _
Laura Scott :: design » blog » tweet

kbahey’s picture

kbahey commented

Ivan

I signed up at your site and did a few post. I noticed that the PHPSESSID occurs only on POST operations.

Someone else reported the exact same symptom http://drupal.org/node/25765

5) PHPSESSID is apearing on POST actions, and and does not apear on other pages. i think this is making some probs with users not getting deleted.

--
Drupal development and customization: 2bits.com
Personal: Baheyeldin.com

--
Drupal performance tuning and optimization, hosting, development, and consulting: 2bits.com, Inc. and Twitter at: @2bits
Personal blog: Ba

Detroit7’s picture

Detroit7 commented

I have found that the SID can cause the intermittent issue you are describing. Whether or not this special PHP constant has a value of empty string or the session name and the session id depends on whether or not the user's browser is sending back a cookie. If no cookie is returned, your links are long. If there is a cookie being returned, the SID has a value of empty string. Notice that this means on the first display of your links a mouseover will always show the presence of the session info. So, I prefer to build my URL's for session conveyance like this:
echo 'a href="page2.php?' . session_name() . '=' . session_id() . ' " page2/a'; //this editor is stripping out the html tags, but you get the idea.