Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-9908

Send "Moved Permanently" before stripping off session ids for Bots.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 3.0.9-RC1
    • 3.0.8-RC1
    • Sessions
    • None

      Hello,

      The way sid are removed for bot is wrong in session.php. The code will result into HTTP 302 redirecting the url with sid to its equivalent without.

      As stated in rfc2616 about the meaning of a 302 :http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
      "The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests."

      This mean that the code just fails its purpose as bot will be told to continue using the original url, with sid !

      Suitable HTTP header for this is 301 :
      "The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs."

      Simple fix in session.php find :

      redirect(build_url(array('sid')));

      Before add :

      send_status_line(301, 'Moved Permanently');

      Of course this does not fully solves the matter for so called PITA server since in that case, redirect will use meta refresh, but we can assume that no such server does run a search engine bot.

      Regards,

      dcz

            bantu Andreas Fischer [X] (Inactive)
            dcz dcz [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: