Remove sid-link value from posts

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.2/Rhea followed by 3.3.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.1. If you need support for phpBB 3.1 please visit the 3.1.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
User avatar
Dragosvr92
Registered User
Posts: 624
Joined: Tue May 31, 2011 12:08 pm
Location: Romania
Contact:

Remove sid-link value from posts

Post by Dragosvr92 » Sun Aug 16, 2015 2:38 am

The sid value is only relevant to the user access. The user doesnt care about it, but needs it to access the site.

Many dont bother to just copy the link without the sid and they post it entirely... When a link is detected to have a ?sid= value in it, the phpbb engine should just ignore it and post the link without it. But, i think i recall hearing the sid will be embedded into a cookie, as it should... Its still present in 3.1.5 though.
Previous user: TheKiller
Avatar on Memberlist 1.0.3

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Remove sid-link value from posts

Post by DavidIQ » Sun Aug 16, 2015 3:04 am

Dragosvr92 wrote:
Sun Aug 16, 2015 2:38 am
But, i think i recall hearing the sid will be embedded into a cookie, as it should... Its still present in 3.1.5 though.
Will be? Has been since version 2 of phpBB, maybe even before that. The reason the SID query string still exists is because of people blocking cookies and incorrect site cookie settings.

I do find the idea of removing the SID as something that might be beneficial though. Could probably just be done through the new parser, if not already being done.
Image

User avatar
Dragosvr92
Registered User
Posts: 624
Joined: Tue May 31, 2011 12:08 pm
Location: Romania
Contact:

Re: Remove sid-link value from posts

Post by Dragosvr92 » Sun Aug 16, 2015 8:19 am

Is it really...? I think it isnt removed completely, from all url types. It seems that only the MCP and ACP links still keep the sids on my board.
Im not blocking cookies and They are configured properly. Its still poping up. I was referring to this btw, viewtopic.php?f=84&t=42577&start=10#p266831


Ive sent a ticket. https://tracker.phpbb.com/browse/PHPBB3-14105
Previous user: TheKiller
Avatar on Memberlist 1.0.3

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Remove sid-link value from posts

Post by DavidIQ » Sun Aug 16, 2015 11:42 am

There has always been a cookie, otherwise you couldn't stay logged in. If there is an SID being appended to ACP and MCP sessions then that is either a bug or intentional.
Image

User avatar
Dragosvr92
Registered User
Posts: 624
Joined: Tue May 31, 2011 12:08 pm
Location: Romania
Contact:

Re: Remove sid-link value from posts

Post by Dragosvr92 » Sun Aug 16, 2015 8:34 pm

I know there was. But it always gave me the impression that not the entire functionality is embedded into a cookie.
Previous user: TheKiller
Avatar on Memberlist 1.0.3

User avatar
JoshyPHP
Registered User
Posts: 350
Joined: Fri Jul 08, 2011 9:43 pm

Re: Remove sid-link value from posts

Post by JoshyPHP » Wed Aug 19, 2015 6:27 pm

There's something in message_parser::validate_url() that seems to remove sid= from local URLs. I can't explain why it calls append_sid() afterward though.

Code: Select all

// Is this a link to somewhere inside this board? If so then remove the session id from the url
if (strpos($url, generate_board_url()) !== false && strpos($url, 'sid=') !== false)
{
	$url = preg_replace('/(&|\?)sid=[0-9a-f]{32}&/', '\1', $url);
	$url = preg_replace('/(&|\?)sid=[0-9a-f]{32}$/', '', $url);
	$url = append_sid($url);
}
message_parser::validate_url() is not used in 3.2. I've sent a PR that runs the equivalent code in 3.2. However, generate_board_url() adds a mystery dependency to request and I think this code is bloat. Removing generate_board_url() and just removing sid= from every URL makes it a fair bit less crummy, although I think the whole thing is more trouble than it's worth.

Nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 297
Joined: Sun Apr 13, 2014 1:40 am
Location: Paris

Re: Remove sid-link value from posts

Post by Nicofuma » Wed Aug 19, 2015 7:30 pm

Honestly I don't see any good reason to keep the sid from any url.
Member of the phpBB Development-Team
No Support via PM

User avatar
JoshyPHP
Registered User
Posts: 350
Joined: Fri Jul 08, 2011 9:43 pm

Re: Remove sid-link value from posts

Post by JoshyPHP » Wed Aug 19, 2015 8:05 pm

Nicofuma wrote:
Wed Aug 19, 2015 7:30 pm
Honestly I don't see any good reason to keep the sid from any url.
Cool, let's shred this diff then. I removed the calls to generate_board_url() and append_sid().

https://github.com/phpbb/phpbb/pull/3847

User avatar
paulus
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 361
Joined: Thu Sep 16, 2004 9:02 am
Contact:

Re: Remove sid-link value from posts

Post by paulus » Thu Aug 20, 2015 7:16 am

JoshyPHP wrote:
Wed Aug 19, 2015 6:27 pm
There's something in message_parser::validate_url() that seems to remove sid= from local URLs. I can't explain why it calls append_sid() afterward though.

Code: Select all

// Is this a link to somewhere inside this board? If so then remove the session id from the url
if (strpos($url, generate_board_url()) !== false && strpos($url, 'sid=') !== false)
{
	$url = preg_replace('/(&|\?)sid=[0-9a-f]{32}&/', '\1', $url);
	$url = preg_replace('/(&|\?)sid=[0-9a-f]{32}$/', '', $url);
	$url = append_sid($url);
}
message_parser::validate_url() is not used in 3.2. I've sent a PR that runs the equivalent code in 3.2. However, generate_board_url() adds a mystery dependency to request and I think this code is bloat. Removing generate_board_url() and just removing sid= from every URL makes it a fair bit less crummy, although I think the whole thing is more trouble than it's worth.
It calls append_sid so if a SID is needed (Client doesn't support cookies, board configured wrong), it adds the SID for the current session, and not from the user who posted.
Image

User avatar
JoshyPHP
Registered User
Posts: 350
Joined: Fri Jul 08, 2011 9:43 pm

Re: Remove sid-link value from posts

Post by JoshyPHP » Thu Aug 20, 2015 11:09 am

paulus wrote:
Thu Aug 20, 2015 7:16 am
It calls append_sid so if a SID is needed (Client doesn't support cookies, board configured wrong), it adds the SID for the current session, and not from the user who posted.
But do you know why it calls append_sid()? Why would it remove the SID of a link and replace it with the SID of the user posting/editing the text?

Post Reply