Overriding PHP INI Setting session.use_trans_sid=0

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My Hosting Service has the following PHP settings [per phpinfo():]

session.use_cookies      On   On
session.use_only_cookies Off  Off
session.use_trans_sid     0    0

This means that while my Session ID is stored in a cookie it will not be
automatically appended to my "a href" URLs when clicked. I am dealing with
some paranoid users who may have turned off cookie support or who monitor
cookie usage and reject some cookies or domains (I will not even get into
those who have "protected themselves" by turned off JavaScript <g>).

Thus I need to be able to compensate for their refusal to accept the
automatic cookie used by Sessions Support to pass the Session Id back to the
scripts when they start by having PHP append a "?PHPSESSID = ..." to my

This requires that session.use_trans_sid=1 (which I am attempting to do via
these commands at the top of my pages):


The ?PHPSESSID = is not showing up when I use a x.php link on my pages. The
location bar when I click the link is just x.php. While I can force the
needed parm by hard coding the ?PHPSESSID = in my links, I would rather go
the automatic route.

I need sessions so that I can have restricted pages/areas which are only
viewable by those who have logged and and have the requite viewing
authority. All others when attempting to view the pages will get a "Please
Login to view this page/area" notification (and a link to the Login Page) if
not logged in or a "You Are Not Authorized to view this Page/Area"
notification if logged in but not authorized.

I can post my testing code (for forcing the URL) if that will help diagnose
my problem.

Thank You.

Re: Overriding PHP INI Setting session.use_trans_sid=0

Robert Rosenberg wrote:

Quoted text here. Click to load it

And that is good so.

Quoted text here. Click to load it

You cannot solve social problems with technology alone.  The users need
to be educated, and their systems configured, to accept these cookies if
they want to use your application.  In fact, if your session cookie is a
non-persistent cookie (that which browser vendors call a "session cookie"),
nobody sane should have any problem with setting it (of course, paranoia is
a form of insanity per ICD-10, but I assume you meant that rather jokingly).  
You should use session_set_cookie_params() to achieve that if you cannot set
the session.* configuration settings in php.ini:


Appending the session ID to the URI of requests instead, would create a
security hole in your application as sessions could be rather easily
hijacked by an attacker, not only it would be transferred verbatim, it would
also be stored in the user's browser history.  Surely especially "paranoid"
users can understand the associated risks.

Quoted text here. Click to load it

Since those settings are PHP_INI_ALL-changeable, this should work, although
it is definitely inadvisable.

<http://php.net/manual/en/session.configuration.php#ini.session.use-only -
<http://php.net/manual/en/session.configuration.php#ini.session.use-trans -

Quoted text here. Click to load it

And that is good so.

Quoted text here. Click to load it

That does not mean anything, redirection may have taken place in the
meantime.  What matters is what the initial request looks like, primarily
what the `href' attribute value looks like.

Quoted text here. Click to load it

… which would be a stupid idea …

Quoted text here. Click to load it

You should not follow your approach any further.

When all you know is jQuery, every problem looks $(olvable).

Re: Overriding PHP INI Setting session.use_trans_sid=0

On 5/26/2012 5:59 PM, Robert Rosenberg wrote:
Quoted text here. Click to load it

Security and PHPSESSID don't go well together.  That's why most sites
just say up from that cookies are required to use some features of the
site.  If the user doesn't want to use cookies, then they can't use
those features of the site.  And personally, I really don't think these
days it's bad to require cookies for some features.  It's good to be
careful, but you can also be paranoid.

But if you insist - you also need to ensure url_rewriter.tags is set to
the appropriate value (it may have been changed from the default).

Also, there have been some bugs in this area, depending on your php
version.  But 38422 indicates you can't change the value with ini_set()
between versions 4.2.3 and 5.0; no word about later versions.  This can
be handled by setting the value in your .htaccess file if allowed (most
Apache hosts will allow this - and it's better than doing it in each php

There's also a recent bug (#61565, still open) which indicates you must
have session.use_cookie=off to make the trans_sid work.  I don't know
whether it will affect you or not.

Hope this helps.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Site Timeline