Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9908

Send "Moved Permanently" before stripping off session ids for Bots.

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.8-RC1
    • Fix Version/s: 3.0.9-RC1
    • Component/s: Sessions
    • Labels:
      None

      Description

      Hello,

      The way sid are removed for bot is wrong in session.php. The code will result into HTTP 302 redirecting the url with sid to its equivalent without.

      As stated in rfc2616 about the meaning of a 302 :http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
      "The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests."

      This mean that the code just fails its purpose as bot will be told to continue using the original url, with sid !

      Suitable HTTP header for this is 301 :
      "The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs."

      Simple fix in session.php find :

      redirect(build_url(array('sid')));

      Before add :

      send_status_line(301, 'Moved Permanently');

      Of course this does not fully solves the matter for so called PITA server since in that case, redirect will use meta refresh, but we can assume that no such server does run a search engine bot.

      Regards,

      dcz

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bantu Andreas Fischer
                Reporter:
                dcz dcz [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: