Remove sid-link value from posts

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Remove sid-link value from posts

Post by DavidIQ »

The assumption is probably that if there is an SID the board needs it for displaying the page for whatever reason. Rather than making it disappear it gets replaced with the current user's SID on post load, or at least that's what it was supposed to do.
Image

User avatar
JoshyPHP
Registered User
Posts: 381
Joined: Fri Jul 08, 2011 9:43 pm

Re: Remove sid-link value from posts

Post by JoshyPHP »

It's run when the post is parsed. I assume it's run for a side-effect, not for actually appending the SID.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Remove sid-link value from posts

Post by DavidIQ »

Yes the side effect being that the user actually remains logged in if they click on the link.
Image

User avatar
JoshyPHP
Registered User
Posts: 381
Joined: Fri Jul 08, 2011 9:43 pm

Re: Remove sid-link value from posts

Post by JoshyPHP »

I'm talking about append_sid() in message_parser::validate_url() which is run when the post is parsed, not displayed. Judging by the original commit the intention was to run it when the post is displayed. Original bug: https://tracker.phpbb.com/browse/PHPBB3-3199

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Remove sid-link value from posts

Post by DavidIQ »

Oh so it's in reverse from what I was thinking, although I'm pretty sure, as you've said, that it should have been on post display as the opposite doesn't seem to make sense.

I wonder if the SID should be removed on save and just appended when needed, I.e. when it's already present in the user's URL...
Image

User avatar
Dragosvr92
Registered User
Posts: 624
Joined: Tue May 31, 2011 12:08 pm
Location: Romania
Contact:

Re: Remove sid-link value from posts

Post by Dragosvr92 »

I guess this will only remove the sid from newly made posts. But, can you add the function to reparse all old posts to remove it,in the database_update.php?
Previous user: TheKiller
Avatar on Memberlist 1.0.3

User avatar
Elsensee
Former Team Member
Posts: 42
Joined: Sun Mar 16, 2014 1:08 pm
Location: Hamburg, Germany
Contact:

Re: Remove sid-link value from posts

Post by Elsensee »

Dragosvr92 wrote: Fri Aug 21, 2015 3:22 pm I guess this will only remove the sid from newly made posts. But, can you add the function to reparse all old posts to remove it,in the database_update.php?
No, because that would take forever but we want to add a cron job for reparsing everything. I don't know the status of that, though.

Nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 299
Joined: Sun Apr 13, 2014 1:40 am
Location: Paris

Re: Remove sid-link value from posts

Post by Nicofuma »

Actually I agree with s9e and I don't really think we should remove the sid. It's not an easy task because if we do that it's only for local urls.
Sure it could be a small security hardening.... but I don't really like it.
Member of the phpBB Development-Team
No Support via PM

KnownSyntax
Registered User
Posts: 6
Joined: Thu Aug 27, 2015 10:39 pm
Location: Arizona, United States

Re: Remove sid-link value from posts

Post by KnownSyntax »

Honestly removing the SID would be better for those boards that might have things configured incorrectly (personally it doesn't bother me since I don't have any SID values being added to the URL since everything is correct). Maybe instead of having a SID being appended, there might be an internal message in the administrator control panel? Or to go even further then that maybe something that will prevent the user from accessing the board without being signed in as an administrator (similar to how the /install/ folder lock works)?

fifth-column
Registered User
Posts: 1
Joined: Fri Jun 16, 2017 9:00 pm

Re: Remove sid-link value from posts

Post by fifth-column »

There should be a way to hide the SID from the URL.
I dont know much about .htaccess mod rewriting but I believe the answer lies in modifying the .htaccess with a modrewrite rule:
https://stackoverflow.com/questions/771 ... h-htaccess

The SID is still visible in V3.2
Admin logout, takes you to the index page with a SID.

Post Reply