Disable session IDs passed via URL

URL based session management does not only have additional security risks compared to cookie based session management, but it can cause also real problems when search engines index your pages. Your visitors may send an URL that contains an active session ID to their friends or they may save the URL that contains a session ID to their bookmarks and access your site with the same session ID always. The same way your visitors can store URL's with sessions ID's, search engines may index them as well, this means new users will access your site with an older session ID. But not only that, most search engines want to provide relevant results for their users, so different pages (URL's) with the same content can be penalized or even banned.

We must all admit, SESSID or PHPSESSID added to the end of an URL doesn't look very nice and it's even not easy to remember. For this reason and all the above, you should disable URL based session management on your sites, and keep session ID's in cookies instead. Granted, if you disable session ID's in the URL, it can become a usability issue, because all visitors must have cookies enabled to make use of any code that requires sessions, like login scripts, but there are other ways to manage this internally.

The easiest way to prevent session ID's added automatically by PHP to all of your URL's, is to disable them system wide withing a .htaccess file. This file, containing one or more configuration directives that apply to that directory, and all subdirectories thereof.

Notice

Works only on Apache HTTP Server.

If you do not have a file called .htaccess in the root folder of your website, please create one and add following code to it:

php_value session.use_only_cookies 1
php_value session.use_trans_sid 0

Some server configurations won't allow you to change PHP settings within your .htaccess file. You can have the same result if you store the configuration to a regular PHP file, that you include (once) on top of all other script files of your website. Simply add following code to the file:

<?php
if (function_exists ('ini_set'))
{
   //Use cookies to store the session ID on the client side
   @ ini_set ('session.use_only_cookies', 1);
   //Disable transparent Session ID support
   @ ini_set ('session.use_trans_sid',    0);
}
?>

An additional step is required if you already have indexed pages on search engines with session ID's added to the URL's, or if you know that people could have bookmarked them. You can do it even to simply prevent this from happening. The same way the above, always included, PHP file works, you can redirect pages with a session ID attached to it's URL to the same page with no ID, and send a "301 Moved Permanently" header. Sending this header, basic visitors won't notice anything, but search engines will know next time they crawl your page that the URL is wrong and moved to it's new location with no session ID attached and update their listing. Either you include the above code to the file or not, following code will help you a lot:

<?php
//Determine current URL
$URL = 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
 
//Decode and clean URL
$URL = urldecode ($URL);
$URL = str_replace ('&amp;', '&', $URL);
 
//Check if PHP is not in safe mode,
//and PHPSESSID is passed via URL
if (!ini_get ('safe_mode') && preg_match ('#'.session_name().'=([^=&\s]*)#i', $URL))
{
   //Remove PHPSESSID junk and unneeded characters ("&" or "?") at end of URL
   $URL = preg_replace ( array ('#(\?|&)'.session_name().'=([^=&\s]*)#', '#(&|\?)+$#'), '', $URL);
   //Send Moved Permanently header
   @ header ("HTTP/1.1 301 Moved Permanently");
   //Redirect to clean URL
   @ header ("Location: " . trim ($URL));
   //End current script
   exit();
}
?>

If you already have indexed pages on search engines, the update can take some time, specially on Google. It will happen in time, you can't expect results withing minutes. Maybe Yahoo! and MSN will update their index sooner, Google however needs more. It's worth to do it, you won't have just clean and aesthetic URL's, but also better search positions and higher Pagerank if you are lucky. The redirect to your clean URLs is done dynamically, that's why we use PHP, it's not hardcoded and does not require to update all files like most other solutions available on the internet.

Contribute your thoughts

Personal information
Comment details
Image verification

To prevent automated logins, please enter the secret phrase shown in the image below.

If you have trouble reading the code, click on the code itself to generate a new one.

11
Anonymous responds: May 21 11:58
This idea not working.
10
zico responds: April 30 21:16
I was searching in several articles which states the same solution but didnt work for me then your article come, perfect solution, efficient, well done! Thanks!!

I just upgrade my smf forum to rc3 and was annoyed with the session ID. !!
9
judith responds: April 19 10:28
I did this on a few of my sites and it improved the listings alot.
8
dudesmama responds: June 10 07:03
Thank you for these tips and explanations. I just started running into this problem and have no idea where the session IDs are from but they are causing a lot of grief. Earlier today I saw 30 "pages not found" in GWT and a visit to my site's homepage showed dozens of sessionID links (in the WebDeveloper Tools) under Link Information. I added the code to the WP Header and now I see none! Relieved!
Thank you!
7
Tube responds: February 27 14:41
This worked beautifully thanks. I had a site that was losing Google rankings. When I looked in the Webmaster Tools there were hundreds of duplicate pages indexed, which were the same URLs but with different session ID's.
The session ID's were produced by an internal search engine (sphider.eu). Google actually tried searches with the search function and indexed the results. The problem was that the links in the search results had session ID's and those links were crawled and indexed as well.
I've switched off the session ID's and implemented your suggestion. I'm now keeping my fingers crossed!
6
dd responds: January 16 12:53
dddddd
5
Junaid Shabbir responds: July 15 09:02
Some portion of PHP code is hidden in IE7, probably overflow is set to none. I can scroll in Firefox
4
Jem Smith responds: September 17 23:12
Hi
think that i will implement your view in my new project.


Regards
Jem Smith
3
Darren responds: September 07 11:39
Great advice. Worked for me. I also had to change php.ini in my root folder, as this was overriding htaccess settings. The redirect code you provided was perfect for cleaning up my already indexed pages. Thanks a lot.
2
Jan responds: August 14 23:06
Great! When I used .htaccess modification it didn't work (some incorrect redirect because my .htaccess contains something already) and I had to put the thing into php files. It works perfectly:)...

Thanks a lot! I found that Google has already indexed about 150 pages from my site with phpsessid. Now it will turn to normal I hope.
1
samie responds: July 08 23:15
I understand that now
Thank for you
Support GoPHP5.org

Affiliation

  • PHP Link Directory
  • Cluj Blog Roll
v-beta-1