29
Quote:
m0nty wrote:
trans_sid being enabled will show sid in the url.. this is not what you want, leave it disabled as it should be..
it is disabled in .htaccess, but doing so, will
NOT stop a user/spider from doing this:
http://www.example.com/index.php?PHPSESSID=f1deb7c154993521b5f459b2b792679c
it will only stop the sid being shown in the url from the server side (Apache), never stop it from the client side. This should be made clear, because I see that some peple are concerned about links to their site with the session id in the link.
having custom sessions set ot 'yes' is one safeguard, but I have proven that if a user has _that_ setting, and a visitor has the session id in the url, then
no cookie at all will be set.
Quote:
m0nty wrote:
by giving your browser a phpsessionid manually you allowed it to use that session, but generally if you goto your site and trans_sid is off, you shouldn't see it.. neither should bots be able to read it either on indexed pages..
Past experience with bots is that some reindex regularly, some do not for many months, therefore the bots that are in the latter case, do continue to use the session id, despite _all_ the possible settings in XOOPS and Apache.
This was a big security risk for a friend, so much so, that we added some mod_rewrite code so that if a bot came to the site with a GET of:
http://www.example.com/index.php?PHPSESSID=f1deb7c154993521b5f459b2b792679c
Apache mod_rewrite did a good job and the url became
http://www.example.com/index.php
even if the session id was anywhere within the url, it worked very well.
P
NO to the Microsoft Office format as an ISO standard. Sign the
petition