Remove sid-link value from posts

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.2/Rhea followed by 3.3.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.1. If you need support for phpBB 3.1 please visit the 3.1.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Remove sid-link value from posts

Post by DavidIQ » Fri Aug 21, 2015 1:00 am

The assumption is probably that if there is an SID the board needs it for displaying the page for whatever reason. Rather than making it disappear it gets replaced with the current user's SID on post load, or at least that's what it was supposed to do.
Image

User avatar
JoshyPHP
Registered User
Posts: 349
Joined: Fri Jul 08, 2011 9:43 pm

Re: Remove sid-link value from posts

Post by JoshyPHP » Fri Aug 21, 2015 1:04 am

It's run when the post is parsed. I assume it's run for a side-effect, not for actually appending the SID.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Remove sid-link value from posts

Post by DavidIQ » Fri Aug 21, 2015 1:05 am

Yes the side effect being that the user actually remains logged in if they click on the link.
Image

User avatar
JoshyPHP
Registered User
Posts: 349
Joined: Fri Jul 08, 2011 9:43 pm

Re: Remove sid-link value from posts

Post by JoshyPHP » Fri Aug 21, 2015 1:12 am

I'm talking about append_sid() in message_parser::validate_url() which is run when the post is parsed, not displayed. Judging by the original commit the intention was to run it when the post is displayed. Original bug: https://tracker.phpbb.com/browse/PHPBB3-3199

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Remove sid-link value from posts

Post by DavidIQ » Fri Aug 21, 2015 1:49 am

Oh so it's in reverse from what I was thinking, although I'm pretty sure, as you've said, that it should have been on post display as the opposite doesn't seem to make sense.

I wonder if the SID should be removed on save and just appended when needed, I.e. when it's already present in the user's URL...
Image

User avatar
Dragosvr92
Registered User
Posts: 624
Joined: Tue May 31, 2011 12:08 pm
Location: Romania
Contact:

Re: Remove sid-link value from posts

Post by Dragosvr92 » Fri Aug 21, 2015 3:22 pm

I guess this will only remove the sid from newly made posts. But, can you add the function to reparse all old posts to remove it,in the database_update.php?
Previous user: TheKiller
Avatar on Memberlist 1.0.3

User avatar
Elsensee
Development Team
Development Team
Posts: 36
Joined: Sun Mar 16, 2014 1:08 pm
Location: Hamburg, Germany
Contact:

Re: Remove sid-link value from posts

Post by Elsensee » Sat Aug 22, 2015 3:48 pm

Dragosvr92 wrote:
Fri Aug 21, 2015 3:22 pm
I guess this will only remove the sid from newly made posts. But, can you add the function to reparse all old posts to remove it,in the database_update.php?
No, because that would take forever but we want to add a cron job for reparsing everything. I don't know the status of that, though.

Nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 297
Joined: Sun Apr 13, 2014 1:40 am
Location: Paris

Re: Remove sid-link value from posts

Post by Nicofuma » Thu Aug 27, 2015 9:00 pm

Actually I agree with s9e and I don't really think we should remove the sid. It's not an easy task because if we do that it's only for local urls.
Sure it could be a small security hardening.... but I don't really like it.
Member of the phpBB Development-Team
No Support via PM

KnownSyntax
Registered User
Posts: 6
Joined: Thu Aug 27, 2015 10:39 pm
Location: Arizona, United States
Contact:

Re: Remove sid-link value from posts

Post by KnownSyntax » Mon Aug 31, 2015 7:43 am

Honestly removing the SID would be better for those boards that might have things configured incorrectly (personally it doesn't bother me since I don't have any SID values being added to the URL since everything is correct). Maybe instead of having a SID being appended, there might be an internal message in the administrator control panel? Or to go even further then that maybe something that will prevent the user from accessing the board without being signed in as an administrator (similar to how the /install/ folder lock works)?
FreshAquaria - Freshwater Discussion and Knowledgebase

fifth-column
Registered User
Posts: 1
Joined: Fri Jun 16, 2017 9:00 pm

Re: Remove sid-link value from posts

Post by fifth-column » Sun Jun 18, 2017 12:18 pm

There should be a way to hide the SID from the URL.
I dont know much about .htaccess mod rewriting but I believe the answer lies in modifying the .htaccess with a modrewrite rule:
https://stackoverflow.com/questions/771 ... h-htaccess

The SID is still visible in V3.2
Admin logout, takes you to the index page with a SID.

Post Reply