[drupal-devel] [bug] settings.php change to prevent PHPSESSID in URL

killes drupal-devel at drupal.org
Mon Aug 1 01:17:28 UTC 2005

Issue status update for 
Post a follow up: 

 Project:      Drupal
 Version:      4.6.0
 Component:    other
 Category:     bug reports
 Priority:     normal
 Assigned to:  kbahey
 Reported by:  kbahey
 Updated by:   killes at www.drop.org
 Status:       patch (code needs review)

I think sessions would still work. I am not convinced we should add this
to settings.php, though.  Maybe as an uncommented option?

killes at www.drop.org

Previous comments:

Sat, 23 Apr 2005 16:47:20 +0000 : kbahey

Attachment: http://drupal.org/files/issues/settings_0.patch (576 bytes)

As per the workaround mentioned in discussion [1], the default
settings.php file that is shipped does not always prevent PHP from
adding the PHPSESSID in the URL.

Although this is a hosting setting issue, a workaround exists for it:

A patch is attached, and it just adds the following line to

ini_set('url_rewriter.tags', '');
[1] http://drupal.org/node/17947#comment-36339


Sun, 24 Apr 2005 12:33:12 +0000 : Dries

If this mechanism kicks in, your session ID isn't shared but the
sessions probably won't work either.  Is this a good idea?


Sun, 24 Apr 2005 14:56:41 +0000 : kbahey

I am not sure which is the lesser evil: not having sessions or having
session IDs in the URL.

Perhaps we can add it in the settings.php as a comment ("If you still
have the sessions in the URL then try this" kind of thing).

More information about the drupal-devel mailing list