Will Munny Posted October 13, 2009 Posted October 13, 2009 I previously had my board 100 percent valid code... but I just upgraded to 3.0.4 and I get hundreds of errors. Most of them seem to cascade from an unescaped ampersand in session ID... eg...…e&module=global&section=login&s=128379128371' Where can I fix this?
Will Munny Posted October 13, 2009 Author Posted October 13, 2009 Better still, here's a screengrab...
Will Munny Posted October 13, 2009 Author Posted October 13, 2009 Oh no!!!... I also just noticed that 301 redirects are going to the session ID version of the URL... for example... /forum/12345-topic-title/page__s__18f0cce8a945cc9980a542 f6209171c0
Mat Barrie Posted October 13, 2009 Posted October 13, 2009 I believe that's a PHP function actually, called "cookieless sessions". And if it is, you're pretty much out of luck, because PHP adds the fraking things automatically, and PHP doesn't give a hoot about standards compliance.
Will Munny Posted October 13, 2009 Author Posted October 13, 2009 Well I'm only seeing this after upgrading. Previously I had every topic page valid. Now I get hundreds of ampersand erros in cookie session id's... My browser doesn't display the cookeis but automates services, such as bots, validators, header checkers etc etc are seeing the sessions and the invaliud code.
Mat Barrie Posted October 13, 2009 Posted October 13, 2009 Huzzah! Just make the following change to php.ini: And there you have it. Thanks to the W3C for the explanation and fix above.arg_separator.output = "&" If you don't want to support ugly cookieless session URLs at all, make this change: session.use_trans_sid = 0
Will Munny Posted October 13, 2009 Author Posted October 13, 2009 Splendid, thanks... what are the downsides of removing session URL's altogether?
bfarber Posted October 13, 2009 Posted October 13, 2009 Actually, this isn't from PHP automatically. IPB 3 was not working properly when cookies weren't supported in the browser, which was fixed in 3.0.4. We'll have to look into why the ampersand isn't escaped, however.
Will Munny Posted October 13, 2009 Author Posted October 13, 2009 Also, I just checked my php.ini file and I already have this in place. Further, session.use_trans_sid is off by default in my installation. So, I really don't know why I'm having this issue.
bfarber Posted October 13, 2009 Posted October 13, 2009 FYI, think I found why the ampersand wasn't escaped in your browsing and fixed that. We can discuss the session id itself in the bug report.
Will Munny Posted October 13, 2009 Author Posted October 13, 2009 Is it template level or core level patch?... I ask because I'm trying to find it too :D
Will Munny Posted October 13, 2009 Author Posted October 13, 2009 So I can just change... I just tested and now everything validates perfectly. Is this safe? Is it really as elementary as this?!!$url = preg_replace( "/s=([a-zA-Z0-9]{32})(&|&)/", '', $url ) . '&s=' . $matches[1]; to... $url = preg_replace( "/s=([a-zA-Z0-9]{32})(&|&)/", '', $url ) . '&s=' . $matches[1];
Recommended Posts
Archived
This topic is now archived and is closed to further replies.