PHP Session ID Auto-appending problem

xenoda9uy

Hi, I was having this problem for a while and could not figure out why.

Delimma:
When I start the session in one page, and then I redirect to another page. On the address bar, there is always a PHPSESSID appended at the end of the URL. (I don't recall my scripts doing this previously.) The session works fine, but revealing the session can be really dangerous, isn't it?

Help:
Does any one have any way to hide that from appearing on the address bar?

Here is what I have basically put in my page.

sess1.php

<?php
session_start();
echo "<a href='./sess2.php'>Click here</a>";
?>

sess2.php

<?php
/* some random session junk */
?>

I Could always see the PHPSESSID on the URL of sess2.php when I click on the "Click Here" link.

bretticus

PHP can detect when a cookie cannot be stored and the session id is stored in the URL instead. The only thing that's changed is probably just the way your browser is handling cookies. Sessions can be hijacked but it's relatively as easy to hijack a session id from the URL as it is one from a cookie. I wouldn't worry about it.