newlinks
07-21-2005, 01:01 PM
Hi,
I'm having trouble suppressing the PHPSESSIONID in the URL on my site when you first log in.
The normal method (as I'm sure you are aware) of suppressing it is to put the following line in php.ini (which we haven't got access to) or in .htaccess.
php_value session.use_trans_sid off
I've put that (and tried it with php_flag too) in the .htaccess and it's still showing. Someone got a referral from one of my admin pages with the PHPSESSIONID info and followed it back. Because the session was still active he had full admin rights over my site!
A friend who lnows way more about Apache than me has told me that .htaccess rules are only applied if the global .htaccess allows those rules so it may be that that could be why it's being ignored?
I'd REALLY appreciate a solution to this. :)
TIA,
mmChronic,
http://www.new-links.info/
I'm having trouble suppressing the PHPSESSIONID in the URL on my site when you first log in.
The normal method (as I'm sure you are aware) of suppressing it is to put the following line in php.ini (which we haven't got access to) or in .htaccess.
php_value session.use_trans_sid off
I've put that (and tried it with php_flag too) in the .htaccess and it's still showing. Someone got a referral from one of my admin pages with the PHPSESSIONID info and followed it back. Because the session was still active he had full admin rights over my site!
A friend who lnows way more about Apache than me has told me that .htaccess rules are only applied if the global .htaccess allows those rules so it may be that that could be why it's being ignored?
I'd REALLY appreciate a solution to this. :)
TIA,
mmChronic,
http://www.new-links.info/