i did something a while back can't remember what, but it removed PHPSESSID from the urls, so when someone posted a link from the site, it wouldn't let people take over their account..

but one user, when viewing links on the site always has that PHPSESSID with the url, and he posts a link to someone who then gained access to his account through that link

how can i remove it completely so no-one runs the risk of getting thier account took over when posting links from the site?

the site is using

Powered by XOOPS 2.0.9.2 © 2001-2003

For one update to the latest 2.0.13.2 XOOPS version, then if you have access to php.ini disable the session id there.

i am using that autologin hack, and also would updating effect the auto login hack and my skin..

any big changes that would effect a skin that works with an earlier version

cheers

its a server side issue.. if u can use htaccess or have access to php.ini, then you can use ?

htaccess method:

php_flag session.trans_sid off
php_flag session.use_only_cookies on

trans.sid off is the main thing, but use_only_cookies on, will add a bit of security too.

for php.ini:

session.use_trans_sid 0
session.use_only_cookies 1