because of issues with the PHPSESSID support for trans_sid has been removed from core.

unfortunately, now it's not possible anymore to set the php-settings (use_trans_sid,..) so that the session works without cookies, too. this is, because drupal_goto() has to take care about the sid.

attached is a patch, which re-adds the sid in drupal_goto() like in 4.6, but only if cookies don't work. so people can login again. but this doesn't touch the php-settings, so the trans_sid keeps deactivated and as a result the sid won't be added per default.

CommentFileSizeAuthor
#13 nocookies.patch3.79 KBowen barton
phpsess_without_c.patch.txt816 bytesfago

Comments

moshe weitzman’s picture

moshe weitzman commented

when a user first visits the site, he has no session cookie. won't this disturb his urls on the resulting page? all subsequent pages will work fine as you've noted.

killes@www.drop.org’s picture

killes@www.drop.org commented

How well is this tested? Do we need all four checks in the if clause?

fago’s picture

fago
Primary language German
Location Vienna
commented

ad #1
hm, unfortunatley yes - and i don't see any way to fix this..
however i don't think it's very common to have a drupal_goto() on the entry page. and if, 1 click later the phpsessid would be gone.
looks like, that this is the price to pay for allowing logins without cookies?!

ad#2
yes i think they are all necessary. the test for session_id() is necessary when logging out, because there the session is destroyed before drupal_goto() will be called.

i tested this patch with a recent cvs install and verified that logging in and doing a drupal_goto() works correctly both with and without cookies.

moshe weitzman’s picture

moshe weitzman commented

when a crawler visits your site he indexes all the links from your first page view. these can't have session ids in them

fago’s picture

fago
Primary language German
Location Vienna
commented

hm, yes..

but does a crawler usually allow cookies?
i thought no, so it would index all pages with the sid.. isn't that a general problem, when you use trans_sid?

killes@www.drop.org’s picture

killes@www.drop.org commented
Status: Needs review » Needs work

We don't want sids displayed if the client does not understand cookies. Maybe test fir http 10. vs 1.1?

fago’s picture

fago
Primary language German
Location Vienna
commented

how else keep a session without cookies?
what woud testing for http1.0/1.1 help?
setting a correctly http status code in drupal_goto would perhaps be good, but imho that's another topic?

to make it clear,
this patch doesn't touch the default php-settings. session ids won't be displayed even if the client doesn't allow cookies.

but with this patch administrators can change the php-settings in settings.php to allow logins without cookies. yes then users (and crawlers) will see session-ids in there urls if they don't allow cookies, buts thats how php-session without cookies work and thats what the site-admin has conifgured.

without this patch, the admin can activate trans_sid, but it just won't work without cookies.

MentalFS’s picture

MentalFS commented

Aren't session IDs only important for logged in users?
If so a check for anonymous user could help for better results with crawlers and first visits.

jt6919’s picture

jt6919 commented

I get tons of PHPSESSID's when the search bot visits my site (and is indexing it), but I am using 4.7.3. Can anyone help?

paddywwoof’s picture

paddywwoof commented

A few months ago I had one site working ok when cookies were switched off by changing the settings.php file

ini_set('session.use_only_cookies', 0);
ini_set('session.use_trans_sid',    1);

other sites I tried it on didn't, apparently because enable-trans-sid was switched off at a higher level (when compiled?). Now the site it worked on doesn't any more! I can only assume that this is because of some general security alert. If I do:

ini_set('session.use_trans_sid',    1);
echo ini_get('session.use_trans_sid');

I get a '0'.

I have tried putting the suggested patch into common.inc (but taking out the check for use_trans_sid obviously) and session_id is remembered only so long as I goto pages using form buttons. As soon as I click on a normal link it looses the session. Short of hacking the page rendering in the theme to add the suggested code to all links is there a way of fixing this? I wondered about looking at the l() function.

Any help or suggestions welcome

Paddy

paddywwoof’s picture

paddywwoof commented

I hacked the url() function in includes/common.inc, as drupal_goto() and l() use this, as follows and it seems to work. Obviously the links are messy with cookies switched off.

// PBG 25sep06
$url = '';
  // The special path '<front>' links to the default front page.
  if (!empty($path) && $path != '<front>') {
    $path = drupal_get_path_alias($path);
    $path = drupal_urlencode($path);
    if (!$clean_url) {
      if (isset($query)) {
//        return $base . $script .'?q='. $path .'&'. $query . $fragment;
        $url = $base . $script .'?q='. $path .'&'. $query . $fragment;
      }
      else {
//        return $base . $script .'?q='. $path . $fragment;
        $url = $base . $script .'?q='. $path . $fragment;
      }
    }
    else {
      if (isset($query)) {
//        return $base . $path .'?'. $query . $fragment;
        $url = $base . $path .'?'. $query . $fragment;
      }
      else {
//        return $base . $path . $fragment;
        $url = $base . $path . $fragment;
      }
    }
  }
  else {
    if (isset($query)) {
//      return $base . $script .'?'. $query . $fragment;
      $url = $base . $script .'?'. $query . $fragment;
    }
    else {
//      return $base . $fragment;
      $url = $base . $fragment;
    }
  }
////////////
// PBG 25sep60 // moved from drupal_goto() see above
//
	if (session_id() && !strstr($url, session_id()) && !$_COOKIE[session_name()]) {
    $sid = session_name() . '=' . session_id();

    if (strstr($url, '?') && !strstr($url, $sid)) {
      $url = $url .'&'. $sid;
    }
    else {
      $url = $url .'?'. $sid;
    }
  }
	return $url;
mlncn’s picture

mlncn commented
Version: x.y.z » 6.x-dev

Er, subscribing.

I know this thread is very old but think it's important that Drupal work without cookies, and at the moment it seems to... be supposed to... with difficulty? I couldn't get it to work in Drupal 5 in my testing.

Ideally, following the idea of progressive enhancement / graceful degradation:

  • Cookies are used if a user has them turned on.
  • Query string or funky form-based session IDs are used if a user has cookies turned off.
  • If the query string method is used, it should not be shown and indexed by search engines (simply not used by anonymous users)

Theoretically this shouldn't be asking the impossible, but I'm not sure PHP's session handling can do it. If not, could a Drupal module?

I apologize if I'm way off base, and the above is easy, but pointers to resources on how to set that up would be appreciated. I followed the instructions in settings.php and even set

* To see what PHP settings are possible, including whether they can
* be set at runtime (ie., when ini_set() occurs), read the PHP
* documentation at http://www.php.net/manual/en/ini.php#ini.list
* and take a look at the .htaccess file to see which non-runtime
* settings are used there.

Agaric has PHP5 on our servers and it should work with just changing settings.php, but I could not log in with cookies turned off.

This is the result from php --info:

session.use_cookies => On => On
session.use_only_cookies => Off => Off
session.use_trans_sid => 0 => 0

Set php_value session.use_trans_sid 1 in <Directory /> and <Directory /var/www> in the Apache sites-available directory. Did not work either. Thanks for listening.

ben, Agaric Design Collective

owen barton’s picture

owen barton commented
Category: bug » feature
Status: Needs work » Closed (won't fix)
StatusFileSize
new nocookies.patch3.79 KB

We recently needed to do a site without cookies being used at all (even if the browser supports them), so I thought I would document the changes needed here (note the word 'document' - this is not a proposed patch!) in case anyone else needs to do this. The patch in #11 is not ideal, because PHP can already rewrite regular URLs to add the session - no need to duplicate this functionality.

Drupal used to support a trans_sid, URL-based-session configuration (there was some code in 4.6 drupal_goto to insert the session id into http redirection urls), however this approach was deemed to much work to support on all the different server platforms and was never really used by anyone (there was never AFAICS a way to 'fall back' to a no-cookie setup for browsers that don't support cookies - just switch to using trans_sid sitewide) and so this code was removed in 4.7. Since 4.7 you have officially needed cookies to log in to an unpatched Drupal site and (if you look at my patch) you will see that other cookie specific code has been added since the first 4.7 release, so I think we can officially put this to 'won't fix'.

If someone comes up with an elegant way to 'fall back' to URL based sessions for browsers that don't have cookies, that works well on all the different server platforms, then I can see that being an option - but for now I think this issue is closed.

Anyway - back to my patch. Here are the settings.php lines that we are using with this:

/**
 * PHP settings:
 *
 * To see what PHP settings are possible, including whether they can
 * be set at runtime (ie., when ini_set() occurs), read the PHP
 * documentation at http://www.php.net/manual/en/ini.php#ini.list
 * and take a look at the .htaccess file to see which non-runtime
 * settings are used there. Settings defined here should not be
 * duplicated there so as to avoid conflict issues.
 */
ini_set('arg_separator.output',     '&amp;');
ini_set('magic_quotes_runtime',     0);
ini_set('magic_quotes_sybase',      0);
ini_set('session.cache_limiter',    'none');
ini_set('session.save_handler',     'user');

/**
 * Settings customizations for no cookies patch
 */

// Shorten session timeouts (optional, but pretty important to keep URL sessions secure)
ini_set('session.cookie_lifetime',  1800); // One hour session timeouts (we don't use cookies, but let's set this anyway)
ini_set('session.cache_expire',     1800); // One hour session timeouts
ini_set('session.gc_maxlifetime',   1800); // One hour session timeouts
ini_set('session.gc_probability',   20);   // Increase probablity of gc running to 20/100 (i.e. about one in five requests), for extra vigilance

// Use URL sessions instead of cookies
//ini_set('url_rewriter.tags',        ''); // We need this left enabled (i.e. the line that disables it commented out) to add the session url querystrings to page links
ini_set('session.use_cookies', 0);         // Disable cookies
ini_set('session.use_only_cookies', 0);    // Really disable cookies
ini_set('session.use_trans_sid', 1);       // Use url sessions instead
owen barton’s picture

owen barton commented

One other note with my patch (#12) - this doesn't include the later improvements to session.inc to stop web crawlers and first-time visitors getting a new session, so you will want to monitor your sessions table size if you use this. That said, if you expire sessions after an hour (as we are) then you shouldn't have too much trouble.

smartuser’s picture

smartuser commented

I applyed patch #13 on a Drupal 6 test site. It seems to work. Thank you.

scifisi’s picture

scifisi commented

I've just tried #13 on my site (Drupal 6.14) and went to the domain name and found that my site went to the 'initialse' page as it is when I first set up a Drupal site - Yikes!

deepakray321’s picture

deepakray321 commented

Hi Paddy,
i am facing the same issue.tried your code but got no luck.
Would really appreciate if you could give me some more ideas on this .

Thanks in advance.

Regards,
Deepak

deepakray321’s picture

deepakray321 commented

Hi Owen,
I am facing the same issue.Tried your patch but got no luck.

Could you please send the files you have changed for this issue.or any other way around.

I am using drupal 6.

thnks in advance.

Regards,
Deepak