Remove sid-link value from posts
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.
If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.
If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
- DavidIQ
- Customisations Team Leader
- Posts: 1905
- Joined: Thu Mar 02, 2006 4:29 pm
- Location: Earth
- Contact:
Re: Remove sid-link value from posts
The assumption is probably that if there is an SID the board needs it for displaying the page for whatever reason. Rather than making it disappear it gets replaced with the current user's SID on post load, or at least that's what it was supposed to do.
Re: Remove sid-link value from posts
It's run when the post is parsed. I assume it's run for a side-effect, not for actually appending the SID.
- DavidIQ
- Customisations Team Leader
- Posts: 1905
- Joined: Thu Mar 02, 2006 4:29 pm
- Location: Earth
- Contact:
Re: Remove sid-link value from posts
Yes the side effect being that the user actually remains logged in if they click on the link.
Re: Remove sid-link value from posts
I'm talking about
append_sid()
in message_parser::validate_url()
which is run when the post is parsed, not displayed. Judging by the original commit the intention was to run it when the post is displayed. Original bug: https://tracker.phpbb.com/browse/PHPBB3-3199- DavidIQ
- Customisations Team Leader
- Posts: 1905
- Joined: Thu Mar 02, 2006 4:29 pm
- Location: Earth
- Contact:
Re: Remove sid-link value from posts
Oh so it's in reverse from what I was thinking, although I'm pretty sure, as you've said, that it should have been on post display as the opposite doesn't seem to make sense.
I wonder if the SID should be removed on save and just appended when needed, I.e. when it's already present in the user's URL...
I wonder if the SID should be removed on save and just appended when needed, I.e. when it's already present in the user's URL...
- Dragosvr92
- Registered User
- Posts: 624
- Joined: Tue May 31, 2011 12:08 pm
- Location: Romania
- Contact:
Re: Remove sid-link value from posts
I guess this will only remove the sid from newly made posts. But, can you add the function to reparse all old posts to remove it,in the database_update.php?
Previous user: TheKiller
Avatar on Memberlist 1.0.3
Avatar on Memberlist 1.0.3
- Elsensee
- Former Team Member
- Posts: 42
- Joined: Sun Mar 16, 2014 1:08 pm
- Location: Hamburg, Germany
- Contact:
Re: Remove sid-link value from posts
No, because that would take forever but we want to add a cron job for reparsing everything. I don't know the status of that, though.Dragosvr92 wrote: Fri Aug 21, 2015 3:22 pm I guess this will only remove the sid from newly made posts. But, can you add the function to reparse all old posts to remove it,in the database_update.php?
Re: Remove sid-link value from posts
Actually I agree with s9e and I don't really think we should remove the sid. It's not an easy task because if we do that it's only for local urls.
Sure it could be a small security hardening.... but I don't really like it.
Sure it could be a small security hardening.... but I don't really like it.
Member of the phpBB Development-Team
No Support via PM
No Support via PM
-
- Registered User
- Posts: 6
- Joined: Thu Aug 27, 2015 10:39 pm
- Location: Arizona, United States
Re: Remove sid-link value from posts
Honestly removing the SID would be better for those boards that might have things configured incorrectly (personally it doesn't bother me since I don't have any SID values being added to the URL since everything is correct). Maybe instead of having a SID being appended, there might be an internal message in the administrator control panel? Or to go even further then that maybe something that will prevent the user from accessing the board without being signed in as an administrator (similar to how the /install/ folder lock works)?
-
- Registered User
- Posts: 1
- Joined: Fri Jun 16, 2017 9:00 pm
Re: Remove sid-link value from posts
There should be a way to hide the SID from the URL.
I dont know much about .htaccess mod rewriting but I believe the answer lies in modifying the .htaccess with a modrewrite rule:
https://stackoverflow.com/questions/771 ... h-htaccess
The SID is still visible in V3.2
Admin logout, takes you to the index page with a SID.
I dont know much about .htaccess mod rewriting but I believe the answer lies in modifying the .htaccess with a modrewrite rule:
https://stackoverflow.com/questions/771 ... h-htaccess
The SID is still visible in V3.2
Admin logout, takes you to the index page with a SID.