Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9908

Send "Moved Permanently" before stripping off session ids for Bots.

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Fixed
    • 3.0.8-RC1
    • 3.0.9-RC1
    • Sessions
    • None

    Description

      Hello,

      The way sid are removed for bot is wrong in session.php. The code will result into HTTP 302 redirecting the url with sid to its equivalent without.

      As stated in rfc2616 about the meaning of a 302 :http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
      "The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests."

      This mean that the code just fails its purpose as bot will be told to continue using the original url, with sid !

      Suitable HTTP header for this is 301 :
      "The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs."

      Simple fix in session.php find :

      redirect(build_url(array('sid')));

      Before add :

      send_status_line(301, 'Moved Permanently');

      Of course this does not fully solves the matter for so called PITA server since in that case, redirect will use meta refresh, but we can assume that no such server does run a search engine bot.

      Regards,

      dcz

      Attachments

        Issue Links

          Activity

            People

              bantu Andreas Fischer
              dcz dcz [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: