Session IDs in PHP can cause some real problems when search engines index your pages. For this reason, you should disable PHPSESSID on your sites, and keep session IDs in cookies instead. If you disable PHPSESSID in the URL, this can become a usability issue, as all visitors must have cookies enabled to make use of any code that requires sessions (such as login scripts). This is unfortunate, but in my mind worth the sacrifice.

Why disable PHPSESSID?

If a visitor comes to your site with cookies off, PHP will automatically add PHPSESSID into the URL of every page. This is the way of maintaining state between pages.

Because many search engines spider your site with cookies off, they will see the version of your URL with the session ID included. A number of search engines will include the session ID in the index, and it can be hard to get rid of.

Session IDs in search engine indexes are ugly. They don't look good, and confuse the visitor as to the real content on the page. It clouds your pristine search result with technical rubbish, you lose that lovely whitespace around your listing that will attract searchers to your listing.

Worse, having PHPSESSID in a search result can cause duplicate content issues, and Google is unlikely to give out PageRank to a URL including a PHPSESSID. In my experience, pages with PHPSESSID in the URL seem to be in the supplemental index more often too.

Other reasons

If having ugly looking search results and being in the supplemental index wasn't enough reason to change, there are other reasons too.

When you have a session ID in your URL, it makes session hijacking a little easier for a hacker. Also if you copy-paste the URL to a friend, they may end us sharing a shopping cart with you while they browse the site - sure to generate unexpected results.

Session IDs in URLs are a good idea if your site must work without cookies enabled, and search engine rankings are not that important to you.

How to Disable PHPSESSID

It's always best to approach the problem from several angles. Consider the following objectives...

  1. Prevent search engines from being given a PHPSESSID in the first place.
  2. Redirect any visitor that comes into the site with a PHPSESSID in the URL.
  3. Remove existing listings in the search engine indexes that already have PHPSESSID included

I'll assume for this you have PHP, since we are talking about PHP sessions here...

Step 1. Preventing PHPSESSID from appearing

Also assuming your webserver is Apache, insert the following code into .htaccess to prevent session IDs from appearing
php_value session.use_only_cookies 1
php_value session.use_trans_sid 0

This code tells the server to store the PHPSESSID in a cookie, or not to bother. If the browser does not have cookies enabled (eg Googlebot), then the session id won't move to the URL. This does mean that all functionality that relies on sessions will not work (such as session based logins). Keep this in mind.

Also note that I have had trouble getting this code to work on PHP hosts that run PHP in CGI mode. As a result, I moved all my sites to hosts that run PHP as an Apache module. Seems like overkill, but I really don't like these session IDs.

Step 2. Redirecting visitors

Step 2 is to redirect all visitors that come into the site with a session ID from an outside link. If you allow the link to work as is, then you have a duplicate content problem (one piece of content available with 2 or more URLs).

The logic I use here is a little more general, because I firmly believe in the rule "one page, one URL".

Consider the following code, on every page of your site...
$actualurl= 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$correcturl = 'http://www.ragepank.com/articles/26/disable-phpsessid/';
if ($correcturl != $actualurl) {
header("HTTP/1.1 301 Moved Permanently");
header("Location: " . $correcturl);

If you try coming into this page with a PHPSESSID attached, this code will detect that the URL is wrong, and 301 redirect you to where you should be. This code takes care of session IDs, but also ALL other kinds of duplicate content issues. This code has the URL hard-coded into the script, but you would automate this on dynamic sites.

Step 3. Telling Google

Now that your redirections are working (and you have tested them), you need to tell Google to update it's index and get rid of those ghastly session IDs. You don't want your 50 page website having 500 pages indexed in Google.
This next concept might seem a little strange, so bear with me.

You need to link to the pages that contain the PHPSESSID, including the PHPSESSID. Because search engines will never be given the same PHPSESSID twice, they are unlikely to find the exact page with the indexed PHPSESSID again. This is why you should link to it.
  • Visit Google, Yahoo, MSN and search for all indexed pages on your site, eg... "site:ragepank.com".
  • Make a list of all pages containing a PHPSESSID.
  • Create a new page on your website, and link to it from somewhere obscure.
  • Add links to all these PHPSESSID pages on this new page

Alternatively, put all the pages you want removed from Google into your XML sitemap. This does more or less the same thing.

Search engine robots will all the links you created (to the PHPSESSID pages). They will see the 301 redirection in place, and update their index accordingly.

Or so the theory goes anyway, in practice this can take months on a small website.
Allow search engines some time to remove your PHPSESSID pages from their index, it can take several months before engines will remove PHPSESSID from their listings.


This does take time. Once Google indexes a page, it can be difficult to change or get rid of the page. It can happen over time, but normally you need to treat Google like a child, and explicitly say (by using 301 redirects) which URLs you want changed.

This technique does work. The results are nice clean search engine listings, and is definitely worth the effort.

Harvey KAne

Digg StumbleUpon del.icio.us technorati blinklist furl reddit sphinn

Tags: contentphpcontent php