Session ID passed in url... sometimes

BuzzLY

Hi all... I have a phpBB board, and I love it. It works wonderfully, and I don't have a problem that really needs solving.

Wait, where are you going?

I have a question about sessions. I thought I understood them, but perhaps I don't. On my site, occasionally the session id is appended to the url as ?sid=xxxxxxetc. Sometimes, it is not.

Now, I do understand that session info is stored in cookies, and if they can't be, then they are passed in the url. I do have cookies enabled, and since they don't always get passed in the URL, I'm sure it works correctly.

My question is... why does it only sometimes show up in the url? I suspect that phpBB purposely puts it there, but if so, why? If I'm not mistaken, the session save path is /tmp, which does exist. Other phpinfo() session info for my site can be found here (since I know you all have nothing better to do that solve my problems).

I want to understand sessions better, so if you could explain the above to me, I would appreciate it. If you can direct me to a link with good information about sessions (yes, I already RTFM and UTSL), I would be forever grateful.

Incidentally, the only link I can currently find on my site with the session id in the URL is the one that opens my administration panel. Is it because that page is in a separate directory? Why should that matter, if so. If not, then why do they pass it in the URL? I'm so confused!

Thanks in advance for your help! 🙂

A curse in advance for your mockery! 😃

Weedpacket

I've noticed this as well; and also only during the initial part of the session.

What I'm guessing is that, when you call session_start() for the first time, PHP inserts the cookie into the response header as usual. But at this stage in the process, there is nothing to indicate that the client does accept cookies. If it doesn't, then that session ID will be disappearing off into the aether and be of no use to anyone. So to be on the safe side, it's embedded in the urls of that initial response as well - until it is established that the client is indeed accepting cookies.

Why it only happens sometimes - I guess it would occur once per client-side session. After that it would have session ID cookies it would be including in its request headers.

But there must be something more elegant.

BuzzLY

That's a good theory... but if you go to my site (http://www.ultimatespin.com/forum -- yes, this is just an elaborate way to get more traffic to my site :p ), you'll see that the session id does NOT get passed in the url. Only when I click on "Go to Administration Panel" at the bottom (which only admins can see, of course) does the session id appear in the URL.

I did a little digging, and found where that link is created. It is in forum/includes/page_tail.php, and here is the line that creates the URL:

// this originally was on one line... broken up for readability
$admin_link = ( $userdata['user_level'] == ADMIN ) ? '<a href=
   "admin/index.' . $phpEx . '?sid=' . $userdata['session_id'] . '"
    target="_blank">' . $lang['Admin_panel'] . '</a><br />
    <br />' : '';
// I added the target="_blank" myself -- the rest is from default installation.

So, phpBB is physically putting the ?sid=xxxxxetc tag on the end of the link. But why would they do that? They don't do it for other links on the site. It seems like a strange decision -- was it something they forgot to take out, or was it deliberate?

Perhaps I will ask this question on phpBB's forum as well, as it seems to be a phpBB related question rather than specific to sessions. But if anyone has any light they can shed on it, feel free to pipe up.

Thanks!

BuzzLY

In this article, they explain their reasons for appending the session id:

from PHPBuilder Knowledge Base

...When you first visit phpBB (assuming you have autologin enabled) it looks to see if you have a session_id (either in a cookie or the URL). On a new visit you won't have such a session_id and so phpBB creates a new one. If you have autologin set it checks the relevant data and if that matches you are logged in with the appropriate user_id. You can then immediately browse the board, post messages, do admin tasks (if applicable), etc.

Now let's take a situation where a naughty person creates a bogus form on their site. You are (for some reason) browsing this form. However, unknown to you this form contains all the necessary data to delete a pile of topics in a given forum (you having moderator rights on a certain board). When you submit that form it will be transmitted to the appropriate website. No session exists so phpBB, as noted above creates a new one and immediately processes the form data ... all the relevant topics are deleted from the database and you only find out when the boards "The selected topics have been deleted" message appears ...

To help negate the effectiveness of this we backported some code from phpBB 2.2 and introduced additional code. The admin control panel now appends your session_id to every url. When you browse within that panel it checks the session_id in the url with that stored in the sessions table. If they match, great, if they don't it redirects you back to the ACP index. This will help prevent users accidently, without their knowledge suffering issues as noted above.
...

So, it seems that they append the session id in order to have a value to compare to the established session_id in the database, for added security. Makes sense to me. It also explains why old links in the history (with old session ids) or refreshing the page after an hour (cookies expire in 3600 seconds) causes you to get errors (the original reason for posting this thread).

Thanks for your help, Weed... or for pointing me in the right direction. Sometimes you just need to talk things out to figure out your problems, eh?