[3.0] Remove PHPSESSID

Sources/QueryString.php

@@ -398,36 +398,25 @@ public static function isFilteredRequest(array $value_list, string $var): bool
 	}
 
 	/**
-	 * Rewrite URLs to include the session ID.
+	 * Rewrite URLs for the queryless URLs option.
 	 *
 	 * What it does:
-	 * - rewrites the URLs outputted to have the session ID, if the user
-	 *   is not accepting cookies and is using a standard web browser.
 	 * - handles rewriting URLs for the queryless URLs option.
 	 * - can be turned off entirely by setting Config::$scripturl to an empty
 	 *   string, ''. (it wouldn't work well like that anyway.)
-	 * - because of bugs in certain builds of PHP, does not function in
-	 *   versions lower than 4.3.0 - please upgrade if this hurts you.
 	 *
 	 * @param string $buffer The unmodified output buffer.
 	 * @return string The modified buffer.
 	 */
 	public static function ob_sessrewrite(string $buffer): string
 	{
-		// PHP 8.4 deprecated SID. A better long-term solution is needed, but this works for now.
-		$sid = defined('SID') ? @constant('SID') : null;
-
-		// If Config::$scripturl is set to nothing, or the SID is not defined (SSI?) just quit.
-		if (Config::$scripturl == '' || !isset($sid)) {
+		// If Config::$scripturl is set to nothing, just quit.
+		if (Config::$scripturl == '') {
 			return $buffer;
 		}
 
-		// Do nothing if the session is cookied, or they are a crawler - guests are caught by redirectexit().
-		if (empty($_COOKIE) && $sid != '' && !BrowserDetector::isBrowser('possibly_robot')) {
-			$buffer = preg_replace('/(?<!<link rel="canonical" href=)"' . preg_quote(Config::$scripturl, '/') . '(?!\?' . preg_quote($sid, '/') . ')\??/', '"' . Config::$scripturl . '?' . $sid . '&amp;', $buffer);
-		}
 		// Debugging templates, are we?
-		elseif (isset($_GET['debug'])) {
+		if (isset($_GET['debug'])) {
 			$buffer = preg_replace('/(?<!<link rel="canonical" href=)"' . preg_quote(Config::$scripturl, '/') . '\??/', '"' . Config::$scripturl . '?debug;', $buffer);
 		}
 
@@ -443,24 +432,13 @@ public static function ob_sessrewrite(string $buffer): string
 				Sapi::isOS([Sapi::SERVER_APACHE, Sapi::SERVER_LIGHTTPD, Sapi::SERVER_LITESPEED])
 			)
 		) {
-			// Let's do something special for session ids!
-			if ($sid != '') {
-				$buffer = preg_replace_callback(
-					'~"' . preg_quote(Config::$scripturl, '~') . '\?(?:' . $sid . '(?:;|&|&amp;))((?:board|topic)=[^#"]+?)(#[^"]*?)?"~',
-					function ($m) {
-						return '"' . Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html?' . $sid . ($m[2] ?? '') . '"';
-					},
-					$buffer,
-				);
-			} else {
-				$buffer = preg_replace_callback(
-					'~"' . preg_quote(Config::$scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?"~',
-					function ($m) {
-						return '"' . Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html' . ($m[2] ?? '') . '"';
-					},
-					$buffer,
-				);
-			}
+			$buffer = preg_replace_callback(
+				'~"' . preg_quote(Config::$scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?"~',
+				function ($m) {
+					return '"' . Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html' . ($m[2] ?? '') . '"';
+				},
+				$buffer,
+			);
 		}
 
 		// Return the changed buffer.

Sources/Session.php

@@ -96,6 +96,11 @@ public function read(string $session_id): string
 	 */
 	public function write(string $session_id, string $data): bool
 	{
+
+		// Don't both writing the session if cookies are diabled
+		if (empty($_COOKIE))
+			return true;
+
 		if (preg_match('~^[A-Za-z0-9,-]{16,64}$~', $session_id) == 0) {
 			return false;
 		}
@@ -189,9 +194,7 @@ public static function load(): void
 	{
 		// Attempt to change a few PHP settings.
 		@ini_set('session.use_cookies', '1');
-		@ini_set('session.use_only_cookies', '0');
 		@ini_set('url_rewriter.tags', '');
-		@ini_set('session.use_trans_sid', '0');
 		@ini_set('arg_separator.output', '&');
 
 		// Allows mods to change/add PHP settings

Sources/Utils.php

@@ -2236,15 +2236,8 @@ public static function redirectexit(string $setLocation = '', bool $refresh = fa
 			$setLocation = Config::$scripturl . ($setLocation != '' ? '?' . $setLocation : '');
 		}
 
-		// PHP 8.4 deprecated SID. A better long-term solution is needed, but this works for now.
-		$sid = defined('SID') ? @constant('SID') : null;
-
-		// Put the session ID in.
-		if (isset($sid) && $sid != '') {
-			$setLocation = preg_replace('/^' . preg_quote(Config::$scripturl, '/') . '(?!\?' . preg_quote($sid, '/') . ')\??/', Config::$scripturl . '?' . $sid . ';', $setLocation);
-		}
 		// Keep that debug in their for template debugging!
-		elseif (isset($_GET['debug'])) {
+		if (isset($_GET['debug'])) {
 			$setLocation = preg_replace('/^' . preg_quote(Config::$scripturl, '/') . '\??/', Config::$scripturl . '?debug;', $setLocation);
 		}
 
@@ -2259,23 +2252,13 @@ public static function redirectexit(string $setLocation = '', bool $refresh = fa
 				Sapi::isSoftware([Sapi::SERVER_APACHE, Sapi::SERVER_LIGHTTPD, Sapi::SERVER_LITESPEED])
 			)
 		) {
-			if (isset($sid) && $sid != '') {
-				$setLocation = preg_replace_callback(
-					'~^' . preg_quote(Config::$scripturl, '~') . '\?(?:' . $sid . '(?:;|&|&))((?:board|topic)=[^#]+?)(#[^"]*?)?$~',
-					function ($m) {
-						return Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html?' . $sid . (isset($m[2]) ? "{$m[2]}" : '');
-					},
-					$setLocation,
-				);
-			} else {
-				$setLocation = preg_replace_callback(
-					'~^' . preg_quote(Config::$scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?$~',
-					function ($m) {
-						return Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html' . (isset($m[2]) ? "{$m[2]}" : '');
-					},
-					$setLocation,
-				);
-			}
+			$setLocation = preg_replace_callback(
+				'~^' . preg_quote(Config::$scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?$~',
+				function ($m) {
+					return Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html' . (isset($m[2]) ? "{$m[2]}" : '');
+				},
+				$setLocation,
+			);
 		}
 
 		// The request was from ajax/xhr/other api call, append ajax ot the url.