Occasionally I come across something tech related that I’m working on which is hard to find documented, so I document it here for myself & for google to index to possibly help others…
I wrote a simple web page hit counter for my website years ago using php & mysql. This worked fine until last year when I had to move my site from a machine I managed to a hosting provider. One issue surfaced where randomly, a string with ?PHPSESSID= would appear in the URLs while users were browsing my site, like http://defunkt.net/?PHPSESSID=1ba1f201361fa4ae2fef8122bec3.
Having the PHPSESSID in the URL is not only ugly, but it’s a security risk as well. If you visit a page that has PHPSESSID in the URL, a malicious admin on the site you click to could gain your privileges on the site you came from.
The Solution
If you are using a hosting provider like I am now, you probably don’t have root level access to the machine serving your pages. The solution in this case is rather simple; if your provider is running Apache (most do) use a .htaccess file.
.htaccess is the default filename of Apache’s directory-level configuration file. It provides the ability to customize configurations defined in the main configuration file.
In this case, all you need to do is create a .htaccess file in your www root, and include the following 2 lines:
php_value session.use_only_cookies 1
php_value session.use_trans_sid 0
That’s it! Apache will apply your configuration change even though is defined differently by your hosting company.
Incredible find! you have made the transition to developer. Welcome to the darkside! To move to the final stage you must become a Microsoft developer. Let the darkness take you…