Development Discussion Board

[TerryE]

If you grep "append_sid(" in the source tree then you will see that many URL links within a PHP document explicitly append a SID, despite the use of a cookie to maintain the sid as well. I can't understand the reason for this duplication. OK, I realise that some users can disable cookies and therefore we can't rely on the SID cookie, but if the SID cookie was set on the page invocation, then they haven't for this session.

Embedding the SID in a URL can cause cause undesirable side-effects:

• Bookmarking the link will fix the sid, and won't work anyway once the session has expired and will require the user to log in again, even if he or she already has a valid session open.
  
  
• Appending the SID to quasi-static items such as style.php and download/file.php frustrates local caching on the browser, since browsers will treat URLs with different SIDs as different items. Such unnecessary repeat downloads are a material % of my aggregate site bandwidth.
  
  
• This introduces security loop-holes if the user publishes the URI or sends it to a colleague as this will mean that the recipient with acquire the senders session context.

Surely we should only append SID if cookies are disabled in the browser?

[naderman]

append_sid only appends the session ID when it's not present in a session cookie (yet). So either on the first request where one doesn't know if cookies work yet or if cookies are actually disabled.

So to improve this we can only either drop support for sessions without cookies (which seems normal everywhere else on the web) or try to figure out some javascript hack to avoid having them at all on the first page view.

[TerryE]

Hummm, I need to look at the code and the apache log analysis, but my current view is that it isn't as simple as that. For example, once the sid parameter is set then it seems to be latched, so that subsequent pages have it, even if the <forum cookie prefix>_sid cookie is return as a request header.

For example such SID triggered redownloads of style.php take up about 5% of my total network bandwidth on OOo. Given that this function has no user or session-specific context other than the style selection which is already a URI parameter, I don't understand why would want to attach a sid to such style links anyway.

[naderman]

There are some instances of append_sid calls where the session id in the URL is enforced. For example ACP/MCP pages that require a session id to be present in the URL for additional security. style.php always gets a session id in the url for historic reasons but this is won't be a problem anymore after viewtopic.php?f=84&t=33456