PassMark Logo
Home » Forum

Announcement

Collapse
No announcement yet.

Strip session IDs - PHPSESSID

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Strip session IDs - PHPSESSID

    Is there any way to make Zoom strip off PHPSESS= query strings from indexed URLs

    Other search engine generators (eg PHPDig etc) can do this, but I prefer Zoom, but the lack of this feature makes it a bit less nice

  • #2
    I assume what you are seeing is "PHPSESSID" and not "PHPSESS"?

    PHPSESSIDs in the URL are a) ugly, b) negatively affects search engine indexing (not just Zoom), c) are a security risk that can enable a malicious user to hijack your session and d) They confuse end users who are trying to link to your site or pass links on to their friends.

    See this comment on the PHP site about security risks,
    http://php.planetmirror.com/manual/e....use-trans-sid

    In general there is no need for PHP applications to include them in the URL (cookies or sessionless browsing are a better solutions).

    So I don't think changing Zoom to ignore parts of your URLs is the best solution. I think a better solution is to fix your PHP scipts. This can be done in several ways depending on your scripts and host.

    Option 1)
    Use the PHP command ini_set() to changes the following values,
    session.use_only_cookies 1
    session.use_trans_sid 0

    Option 2)
    If your host is using PHP as an Apache module, you need to put the following two lines in your local Apache .htaccess file,
    php_value session.use_only_cookies 1
    php_value session.use_trans_sid 0

    -------
    David

    Comment


    • #3
      Yes, sorry, I meant PHPSESSID

      When USERS (with cookies enabled) use the site, the session ID is stored in cookies, but when Zoom spiders the site it gets a PHPSESSID in the URL.

      If we tell our site to use ONLY cookies, then (a) it doesn't seem to work at all when Zoom spiders the site, and (b) users who have cookies disabled in their browsers can't use the site.

      Comment


      • #4
        Zoom should be able to receive cookies (in fact it should share the cookies that IE has stored).

        But it might be that your script doesn't attempt to send Zoom a cookie because your script might be trying to identify the browser version. And if it is not a known browser type (e.g. Netscape or IE), your script might switch to using URL based session management.

        We would need to have a look at your script in order to know what was going on.

        ------
        David

        Comment


        • #5
          It doesn't do any browser detection for cookies.

          If I turn on 'Use cookies from Windows and IE' under 'Authentication', then it seems that Zoom lets PHP's session IDs go in cookies.

          I hadn't turned this on previously because (a) we don't use IE, and (b) Zoom doesn't need to 'log in' to webpages, the session IDs are just used for things like shopping cart tracking on most pages (and I don't want Zoom to index pages where you DO need to log in).

          (Note that I still think that being able to optionally strip PHPSESSID=.. from URLs (and possibly other query strings as well) would be a good thing for Zoom, whilst not being that hard to do; it could even be done in the Search.php script without too much effort. As I mentioned earlier, other search engines do this)

          Comment


          • #6
            Yes, I should have mentioned that you need to check the "'Use cookies" option box. Sorry about that.

            IE and Windows are now inseparable. Various functions in Windows use IE behind the scenes so IE can never be fully removed now as it effectively part of the Windows API. Zoom uses the Windows API to connunicate on the internet and Windows uses pieces of IE to do the work. Which is why Zoom ends up sharing the IE cookies and cacheing.

            Zoom won't index pages where you do need to log in unless you have supplied the user name & password or unless the cookie your site issues to Zoom allows access to those sections of your site without a user name & password.

            Yes, we could, and maybe should, strip out PHPSESSID from URLs. But it would have to be optional & done after indexing, as the session details are often required during indexing. But as there is an easy work around (allow cookies) we don't see it as a major issue.

            ----
            David

            Comment

            Working...
            X