Reputation: 4673
How can I make trans_sid (cookie-less sessions) work in PHP 7.1
I cannot tell if this is a bug in PHP 7.0 and 7.1 or a configuration error that is fixable. I have an application that has used cookie-less sessions in PHP for years very successfully. But things keep breaking in PHP 7.0 and PHP 7.1. Here is the PHP script:
<?php
ini_set('session.use_cookies', '0');
ini_set('session.use_only_cookies',0);
ini_set('session.use_trans_sid',1);
session_start();
?>
<p><a href="index.php">Click This Anchor Tag!</a></p>
<p><a href="#place">Internal link</a></p>
<p>Our Session ID is: <?= session_id() ?></p>
<p>Our PHP Version is: <?= phpversion() ?></p>
In PHP 5.6.28 and all earlier versions as well as PHP 7.0.x, the configuration option url_rewriter.tags decides which tags get the session appended automatically. The default for this is:
url_rewriter.tags="a=href,area=href,frame=src,input=src,form=,fieldset="
http://php.net/manual/en/outcontrol.configuration.php#ini.url-rewriter.tags
With this as default, the correct output of the above script in PHP 5.6.28 is:
<p><a href="index.php?PHPSESSID=aec2a7538bfe295d6a6c9ff70c42f8eb">Click This Anchor Tag!</a></p>
<p><a href="#place">Internal link</a></p>
<p>Our Session ID is: aec2a7538bfe295d6a6c9ff70c42f8eb</p>
<p>Our PHP Version is: 5.6.28</p>
But now we move to PHP 7.0.13 - it is configured the same way as PHP 5 so it has:
url_rewriter.tags="a=href,area=href,frame=src,input=src,form=,fieldset="
But the output of the above script in PHP 7.0.13 is:
<p><a href="index.php">Click This Anchor Tag!</a></p>
<p><a href="#place">Internal link</a></p>
<p>Our Session ID is: a336e933e677c001ae8faf20b7158fb4</p>
<p>Our PHP Version is: 7.0.13</p>
Nothing is rewritten.
In PHP 7.1, there is a new configuration variable called session.trans_sid_tags which accomplishes the same thing. In my PHP 7.1.0 instance I have:
session.trans_sid_tags="a=href,area=href,frame=src,form=" (default)
This is not in the php.ini file but looking at PHPInfo the default is what we get.
http://php.net/manual/en/session.configuration.php#ini.session.trans-sid-tags
In PHP 7.1 it is almost working:
<p><a href="index.php?PHPSESSID=a17309afea8f2791078fc046cce5fa56">Click This Anchor Tag!</a></p>
<p><a href="#place/?PHPSESSID=a17309afea8f2791078fc046cce5fa56">Internal link</a></p>
<p>Our Session ID is: a17309afea8f2791078fc046cce5fa56</p>
<p>Our PHP Version is: 7.1.0</p>
It is mistakenly rewriting the named anchor #place. Everything else is working.
Help - I am wondering if there is just a configuration option in PHP 7.1.0 that is missing or is this just a bug in PHP 7 that is not yet working.
Upvotes: 5
Views: 740
Answers (0)
Related Questions
- Cookie less sessions in PHP
- php session.use_trans_sid
- PHP Session id cookie spoofing
- PHP - Session ID changing when using session.use_trans_sid
- PHP Session SID URL - url does not have SID
- PHPSESSID via get
- Transmit Session IDs in URLs (Session trans_sid equivalent Laravel)
- cookieless authentication in php5
- Make use_trans_sid work (Append Session ID to URL)
- How come cookie path doesn't take effect?