Session variable displays in browser message and/or URL address field
Problem: Session variable displays in browser message and/or URL address field
On several sites I’m using sessions to start every page (all .php). session_name (’whatever’); session_start (); I do this because in some of the pages I have edit functions. If someone selects ‘login.php’ and successfully logs in, I set up a few variables such as user type (admin, user, etc.) and a few other privileges.
Background:
$_SESSION['stype'] = $row[type]; // this grabs user type out of the db and sets a session variable.
So for instance if you were to select the FAQ page and are logged in as an admin you get the ‘edit’ button and are authorized to use the update/edit page as well. I’m also using the session to control my navigational menus. If you are ‘logged in’ you get an extended or different version of the menu with administration options. All this seems to work flawlessly.
The apparent problem is cosmetic only. When you first access the home page, the information area at the bottom of the browser (Firefox) displays navigational links with the session variable. Then if you select one of the links it will display the link with the session id as well. None of this causes any problems but it sure looks dumb.
Question: Is there a way to disable displaying the variables without breaking the functionality or is that way sites commonly set up administration under an admin directory, making it less apparent? Or of course have I done something else wrong?
In addition, the other odd thing – once I have selected one of the links (without being logged in) such as hitting ‘Home’ twice, the session variables will eventually cease display, yet of course nothing is functionally broken. If you opt to login all is fine in Mayberry.
Answer/Solution:
if the browser hasn’t accepted the session cookie, then php by default puts it in the query string for every link, which as you already know looks stupid. the first time you load a page, the browser doesn’t have a session cookie yet, so PHP has no way of knowing if it’s going to accept the session cookie, which is why it puts the session id on every link (to make sessions still work even without cookies). after you click a link, if your browser accepted the cookie php should notice that the browser sent a session cookie and stop messing with the links (at least until the cookie expires).
To tell php not to mess with links, add the following line to your .htaccess file (or php.ini) depending on how your hosting server manages the webserver:
php_flag session.use_trans_sid off
Tags: session, URL address field