[2.1] Remove PHPSESSID

Sources/LogInOut.php

@@ -217,8 +217,12 @@ function Login2()
 		redirectexit();
 
 	// Are you guessing with a script?
-	checkSession();
-	validateToken('login');
+	// If cookies are disallowed, session & token checks will fail
+	if (!empty($_COOKIE))
+	{
+		checkSession();
+		validateToken('login');
+	}
 	spamProtection('login');
 
 	// Set the login_url if it's not already set (but careful not to send us to an attachment).
@@ -235,7 +239,7 @@ function Login2()
 	elseif (!empty($_POST['cookielength']) && ($_POST['cookielength'] >= 1 && $_POST['cookielength'] <= 3153600))
 		$modSettings['cookieTime'] = (int) $_POST['cookielength'];
 
-	loadLanguage('Login');
+	loadLanguage('Login+Errors');
 	// Load the template stuff.
 	loadTemplate('Login');
 	$context['sub_template'] = 'login';
@@ -256,6 +260,13 @@ function Login2()
 		'name' => $txt['login'],
 	);
 
+	// Cookies are required...
+	if (empty($_COOKIE))
+	{
+		$context['login_errors'] = array($txt['login_cookie_error']);
+		return;
+	}
+
 	// You forgot to type your username, dummy!
 	if (!isset($_POST['user']) || $_POST['user'] == '')
 	{

Sources/Post.php

@@ -42,6 +42,10 @@ function Post($post_errors = array())
 	if (isset($_REQUEST['poll']) && !empty($topic) && !isset($_REQUEST['msg']))
 		unset($_REQUEST['poll']);
 
+	// You cannot post at all, even with guest posts allowed, with cookies disabled
+	if (empty($_COOKIE))
+		fatal_lang_error('func_cookie_error', false);
+
 	// Posting an event?
 	$context['make_event'] = isset($_REQUEST['calendar']);
 	$context['robot_no_index'] = true;

Sources/QueryString.php

@@ -631,15 +631,11 @@ function htmltrim__recursive($var, $level = 0)
 }
 
 /**
- * Rewrite URLs to include the session ID.
+ * Handles rewriting URLs for the queryless URLs option.
  * What it does:
- * - rewrites the URLs outputted to have the session ID, if the user
- *   is not accepting cookies and is using a standard web browser.
  * - handles rewriting URLs for the queryless URLs option.
  * - can be turned off entirely by setting $scripturl to an empty
  *   string, ''. (it wouldn't work well like that anyway.)
- * - because of bugs in certain builds of PHP, does not function in
- *   versions lower than 4.3.0 - please upgrade if this hurts you.
  *
  * @param string $buffer The unmodified output buffer
  * @return string The modified buffer
@@ -648,45 +644,27 @@ function ob_sessrewrite($buffer)
 {
 	global $scripturl, $modSettings, $context;
 
-	// PHP 8.4 deprecated SID. A better long-term solution is needed, but this works for now.
-	$sid = defined('SID') ? @constant('SID') : null;
-
-	// If $scripturl is set to nothing, or the SID is not defined (SSI?) just quit.
-	if ($scripturl == '' || !isset($sid))
+	// If $scripturl is set to nothing, just quit.
+	if ($scripturl == '')
 		return $buffer;
 
-	// Do nothing if the session is cookied, or they are a crawler - guests are caught by redirectexit().  This doesn't work below PHP 4.3.0, because it makes the output buffer bigger.
-	// @todo smflib
-	if (empty($_COOKIE) && $sid != '' && !isBrowser('possibly_robot'))
-		$buffer = preg_replace('/(?<!<link rel="canonical" href=)"' . preg_quote($scripturl, '/') . '(?!\?' . preg_quote($sid, '/') . ')\\??/', '"' . $scripturl . '?' . $sid . '&amp;', $buffer);
 	// Debugging templates, are we?
-	elseif (isset($_GET['debug']))
+	if (isset($_GET['debug']))
 		$buffer = preg_replace('/(?<!<link rel="canonical" href=)"' . preg_quote($scripturl, '/') . '\\??/', '"' . $scripturl . '?debug;', $buffer);
 
 	// This should work even in 4.2.x, just not CGI without cgi.fix_pathinfo.
 	if (!empty($modSettings['queryless_urls']) && (!$context['server']['is_cgi'] || ini_get('cgi.fix_pathinfo') == 1 || @get_cfg_var('cgi.fix_pathinfo') == 1) && ($context['server']['is_apache'] || $context['server']['is_lighttpd'] || $context['server']['is_litespeed']))
 	{
-		// Let's do something special for session ids!
-		if (isset($sid) && $sid != '')
-			$buffer = preg_replace_callback(
-				'~"' . preg_quote($scripturl, '~') . '\?(?:' . $sid . '(?:;|&|&amp;))((?:board|topic)=[^#"]+?)(#[^"]*?)?"~',
-				function($m) use ($scripturl, $sid)
-				{
-					return '"' . $scripturl . "/" . strtr("$m[1]", '&;=', '//,') . ".html?" . $sid . (isset($m[2]) ? $m[2] : "") . '"';
-				},
-				$buffer
-			);
-		else
-			$buffer = preg_replace_callback(
-				'~"' . preg_quote($scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?"~',
-				function($m)
-				{
-					global $scripturl;
+		$buffer = preg_replace_callback(
+			'~"' . preg_quote($scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?"~',
+			function($m)
+			{
+				global $scripturl;
 
-					return '"' . $scripturl . '/' . strtr("$m[1]", '&;=', '//,') . '.html' . (isset($m[2]) ? $m[2] : "") . '"';
-				},
-				$buffer
-			);
+				return '"' . $scripturl . '/' . strtr("$m[1]", '&;=', '//,') . '.html' . (isset($m[2]) ? $m[2] : "") . '"';
+			},
+			$buffer
+		);
 	}
 
 	// Return the changed buffer.

Sources/Register.php

@@ -36,6 +36,10 @@ function Register($reg_errors = array())
 	if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == '3')
 		fatal_lang_error('registration_disabled', false);
 
+	// You cannot register with cookies disabled
+	if (empty($_COOKIE))
+		fatal_lang_error('func_cookie_error', false);
+
 	// If this user is an admin - redirect them to the admin registration page.
 	if (allowedTo('moderate_forum') && !$user_info['is_guest'])
 		redirectexit('action=admin;area=regcenter;sa=register');

Sources/Search.php

@@ -34,6 +34,10 @@ function PlushSearch1()
 	if (!empty($context['load_average']) && !empty($modSettings['loadavg_search']) && $context['load_average'] >= $modSettings['loadavg_search'])
 		fatal_lang_error('loadavg_search_disabled', false);
 
+	// You cannot search with cookies disabled when captcha is required for guest searches
+	if (empty($_COOKIE) && !empty($modSettings['search_enable_captcha']))
+		fatal_lang_error('func_cookie_error', false);
+
 	loadLanguage('Search');
 	// Don't load this in XML mode.
 	if (!isset($_REQUEST['xml']))

Sources/Session.php

@@ -29,9 +29,7 @@ function loadSession()
 
 	// Attempt to change a few PHP settings.
 	@ini_set('session.use_cookies', true);
-	@ini_set('session.use_only_cookies', false);
 	@ini_set('url_rewriter.tags', '');
-	@ini_set('session.use_trans_sid', false);
 	@ini_set('arg_separator.output', '&');
 
 	// Allows mods to change/add PHP settings
@@ -176,6 +174,10 @@ public function write(/*PHP 8.0 string*/$id,/*PHP 8.0 string */ $data): bool
 	{
 		global $smcFunc;
 
+		// Don't bother writing the session if cookies are disabled; no way to retrieve it later
+		if (empty($_COOKIE))
+			return true;
+
 		if (!$this->isValidSessionID($id))
 			return false;
 

Sources/Subs.php

@@ -4069,36 +4069,20 @@ function redirectexit($setLocation = '', $refresh = false, $permanent = false)
 	if ($add)
 		$setLocation = $scripturl . ($setLocation != '' ? '?' . $setLocation : '');
 
-	// PHP 8.4 deprecated SID. A better long-term solution is needed, but this works for now.
-	$sid = defined('SID') ? @constant('SID') : null;
-
-	// Put the session ID in.
-	if (isset($sid) && $sid != '')
-		$setLocation = preg_replace('/^' . preg_quote($scripturl, '/') . '(?!\?' . preg_quote($sid, '/') . ')\\??/', $scripturl . '?' . $sid . ';', $setLocation);
 	// Keep that debug in their for template debugging!
-	elseif (isset($_GET['debug']))
+	if (isset($_GET['debug']))
 		$setLocation = preg_replace('/^' . preg_quote($scripturl, '/') . '\\??/', $scripturl . '?debug;', $setLocation);
 
 	if (!empty($modSettings['queryless_urls']) && (empty($context['server']['is_cgi']) || ini_get('cgi.fix_pathinfo') == 1 || @get_cfg_var('cgi.fix_pathinfo') == 1) && (!empty($context['server']['is_apache']) || !empty($context['server']['is_lighttpd']) || !empty($context['server']['is_litespeed'])))
 	{
-		if (isset($sid) && $sid != '')
-			$setLocation = preg_replace_callback(
-				'~^' . preg_quote($scripturl, '~') . '\?(?:' . $sid . '(?:;|&|&))((?:board|topic)=[^#]+?)(#[^"]*?)?$~',
-				function($m) use ($scripturl, $sid)
-				{
-					return $scripturl . '/' . strtr("$m[1]", '&;=', '//,') . '.html?' . $sid . (isset($m[2]) ? "$m[2]" : "");
-				},
-				$setLocation
-			);
-		else
-			$setLocation = preg_replace_callback(
-				'~^' . preg_quote($scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?$~',
-				function($m) use ($scripturl)
-				{
-					return $scripturl . '/' . strtr("$m[1]", '&;=', '//,') . '.html' . (isset($m[2]) ? "$m[2]" : "");
-				},
-				$setLocation
-			);
+		$setLocation = preg_replace_callback(
+			'~^' . preg_quote($scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?$~',
+			function($m) use ($scripturl)
+			{
+				return $scripturl . '/' . strtr("$m[1]", '&;=', '//,') . '.html' . (isset($m[2]) ? "$m[2]" : "");
+			},
+			$setLocation
+		);
 	}
 
 	// The request was from ajax/xhr/other api call, append ajax ot the url.

Themes/default/Display.template.php

@@ -846,6 +846,10 @@ function template_single_post($message)
 
 			$base .= (isset($txt[$base . $count])) ? $count : 'n';
 
+			// Remove link if no cookies; session reference won't work
+			if (empty($_COOKIE))
+				$txt[$base] = preg_replace('~</?a\b[^>]*>~', '', $txt[$base]);
+
 			echo '
 									<li class="like_count smalltext">
 										', sprintf($txt[$base], $scripturl . '?action=likes;sa=view;ltype=msg;like=' . $message['id'] . ';' . $context['session_var'] . '=' . $context['session_id'], comma_format($count)), '

Themes/default/languages/Errors.english.php

@@ -143,6 +143,7 @@
 $txt['delFirstPost'] = 'You are not allowed to delete the first post in a topic.<p>If you want to delete this topic, click on the Remove Topic link, or ask a moderator/administrator to do it for you.</p>';
 $txt['parent_error'] = 'Unable to create board!';
 $txt['login_cookie_error'] = 'You were unable to login. Please check your cookie settings.';
+$txt['func_cookie_error'] = 'This function requires cookies enabled. Please check your cookie settings.';
 $txt['login_ssl_required'] = 'You can only login via HTTPS';
 $txt['register_ssl_required'] = 'You can only register via HTTPS';
 $txt['incorrect_answer'] = 'Sorry, but you did not answer your question correctly. Please click back to try again, or click back twice to use the default method of obtaining your password.';