Detroit transplants living in Dallas

PHPSESSID, Apache, and the power of .htaccess files to fix a host’s php configuration

Occasionally I come across something tech related that I’m working on which is hard to find documented, so I document it here for myself & for google to index to possibly help others…

I wrote a simple web page hit counter for my website years ago using php & mysql. This worked fine until last year when I had to move my site from a machine I managed to a hosting provider. One issue surfaced where randomly, a string with ?PHPSESSID= would appear in the URLs while users were browsing my site, like http://defunkt.net/?PHPSESSID=1ba1f201361fa4ae2fef8122bec3.

Having the PHPSESSID in the URL is not only ugly, but it’s a security risk as well. If you visit a page that has PHPSESSID in the URL, a malicious admin on the site you click to could gain your privileges on the site you came from.

The Solution

If you are using a hosting provider like I am now, you probably don’t have root level access to the machine serving your pages. The solution in this case is rather simple; if your provider is running Apache (most do) use a .htaccess file.
.htaccess is the default filename of Apache’s directory-level configuration file. It provides the ability to customize configurations defined in the main configuration file.
In this case, all you need to do is create a .htaccess file in your www root, and include the following 2 lines:

php_value session.use_only_cookies 1
php_value session.use_trans_sid 0

That’s it! Apache will apply your configuration change even though is defined differently by your hosting company.

1 Comment

  1. steve

    Incredible find! you have made the transition to developer. Welcome to the darkside! To move to the final stage you must become a Microsoft developer. Let the darkness take you…