Magento2: ?sid in URL even if disabled

We have the same problem on 2.0.7. Had this problem since 2.0. Just asked my hosting company for help. They were able to fix on their end and said this:

SID issue should be resolved now. If you clear your browser cache (or use private/incognito browsing) going to xxxxxxx.com should redirect to www.xxxxxxx.com without any SID. We added a 301 redirect to the pub/.htaccess file:

RewriteCond %{HTTP_HOST} ^xxxxxxx.com
RewriteRule ^(.*) http://www.xxxxxxx.com/$1 [L,R=301]

We will close this issue as not updated more than 2 weeks if this issue still reproducible please feel free to create the new one.

It seems to be back in 2.1.2 !
I disabled the use of SID in admin but :

Résolution de www.xxxxxxx.com (www.xxxxxxxx.com)… xx.xx.xx.xx
Connexion à www.xxxxxxxx.com (www.xxxxxxxx.com)|xx.xx.xx.xx|:80… connecté.
requête HTTP transmise, en attente de la réponse… 301 Moved Permanently
Emplacement : http://xxxxxxxx.com/?SID=ggjarfb9f28190a51b0nossoh2 [suivant]

I use 301 in admin.

Damn, I'm going to recheck it asap...

Thanks, just a thing, i've edited my message to remove ip on the github website, but as you answered using mail, the ip is back in your response, could you edit and remove the ip in it ?
Thanks a lot !

Same issue in 2.1

I still see this issue in Magento 2.1.3.

i´m seeing it in 2.,1.2

Same problem in 2.1.0 using this architecture:
Apache -> <-varnish -> <-niginx -> internet
Any helps or patch ?

Here's a .htaccess workaround, which you can modify for your particular use case:

############################################
## Site Redirects
<IfModule mod_rewrite.c>
    RewriteEngine on
    ############################################
    ## Require "www." prefix for all sites
    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    ############################################
    ## Require HTTPS for all sites
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} ^www\. [NC]
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

Keep in mind that the workaround won't work if your store base URL doesn't start with www i.e it shouldn't be wildcard. Change it from https://yoursitename.com to https://www.yoursitename.com from the store config options before putting this in your .htaccess file, otherwise you will get redirection errors.

We als see this happening using Magento CE 2.1.4

@maksek: I believe this issue should be reopened?

In case it is needed, I added a very easy case of how you can reproduce this:

Preconditions

• Magento CE 2.1.5
• PHP 7.0.16
• Apache 2.2.32

Steps to reproduce

1. Install Magento CE 2.1.5 using composer
2. During the installation, set the base url to: https://www.m2.dev/
3. In your Apache configuration, set up a VirtualHost with 2 domains, one with 'www' and the other without 'www', something like this:

<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile "/opt/local/apache2/conf/server.crt"
    SSLCertificateKeyFile "/opt/local/apache2/conf/server.key"

    ServerName m2.dev
    ServerAlias www.m2.dev

    DocumentRoot "/path/to/magento2/pub"

    <Directory "/path/to/magento2/pub">
      Options Indexes FollowSymLinks ExecCGI
      AllowOverride All
      Order allow,deny
      Allow from all
    </Directory>
</VirtualHost>

1. After the installation, do this:

$ curl -I --insecure https://www.m2.dev/
HTTP/1.1 200 OK
# good, is expected!

$ curl -I --insecure https://m2.dev/
HTTP/1.1 302 Found
Location: https://www.m2.dev/?SID=abcdef...
# good, is expected!

1. Now change the Magento setting: General => Web => Session Validation Settings => Use SID on Storefront => No
2. Flush your caches
3. Execute the same thing as above:

$ curl -I --insecure https://www.m2.dev/
HTTP/1.1 200 OK
# good, is expected!

$ curl -I --insecure https://m2.dev/
HTTP/1.1 302 Found
Location: https://www.m2.dev/?SID=abcdef...
# NOT good, there should be NO ?SID in the url!

Please reopen as this error still exists in 2.1.6

@mautz-et-tong: I created a new ticket: https://github.com/magento/magento2/issues/9453, since this one is being ignored, thanks for the reminder!

$ bin/magento --version
Magento CLI version 2.1.6

$ httpd -version
Server version: Apache/2.4.18 (Unix)
Server built:   Mar  9 2016 17:25:28

If the website with multi-store views:
after the request to one of store view URL => redirected to default store URL

Example:

# store view URL: https://m-store-view-ru-ru.com/
# default store view URL: https://m-store-view-default.com/

$ curl -I --insecure https://m-store-view-ru-ru.com/

HTTP/1.1 302 Found

Location: https://m-store-view-default.com/?SID=62c3347d2aa7c5e59ee874f1a78c8881

# NOT good, there should be opened: https://m-store-view-ru-ru.com/

The current issue, IMHO - related to the correct setting:

MAGE_RUN_CODE

MAGE_RUN_TYPE

After upgrading from Magento 2.1.3 version to the Magento 2.1.6 version,
my issue fixed by appending (concerning to: Apache HTTPd server) to the .htaccess file:

/path/to/magento2root/.htaccess

# (NOTE - Not to: /path/to/magento2root/pub/.htaccess)

SetEnvIf Host www\.your-website-1\.ru MAGE_RUN_CODE=base
SetEnvIf Host www\.your-website-1\.ru MAGE_RUN_TYPE=website
SetEnvIf Host ^your-website-1\.ru MAGE_RUN_CODE=base
SetEnvIf Host ^your-website-1\.ru MAGE_RUN_TYPE=website

SetEnvIf Host www\.your-website-2\.ru MAGE_RUN_CODE=your_website_2_ru
SetEnvIf Host www\.your-website-2\.ru MAGE_RUN_TYPE=website
SetEnvIf Host ^your-website-2\.ru MAGE_RUN_CODE=your_website_2_ru
SetEnvIf Host ^your-website-2\.ru MAGE_RUN_TYPE=website

This didn't work for me on 2.0.13. Where did you put the ode in your htaccess file?

UPDATE:

This worked for me:

## Prefix all requests with https://www. before they ever hit Magento
RewriteEngine on 
RewriteCond %{HTTP_HOST} !^www\.my-domain\.com$ [NC]
RewriteRule ^(.*)$ https://www.my-domain.com/$1 [R=301,L]

..taken from here: Inchoo

Same in 2.1.2 with Nginx+Varnish (SSL Termination)
Adding SID even www.domain.com or domain.com

Finally resolved that with disabling 'Auto-redirect to Base URL' and applying redirect in Varnish level. If there is anybody faced with that :

sub vcl_recv {

    if (req.http.host == "domain.com") {

        return (synth (750, ""));

    }

}

sub vcl_synth {

      if(resp.status == 750) {

        # add www and redirect to https://

        if(req.http.host ~ "^domain.com") {

            set resp.status = 301;

            set resp.http.Location = "https://www.domain.com" + req.url;

            return(deliver);

        }

    }

}


                    

Hello all:)

How do if or site use HTTPS ?

Please help us :)

Fixed it with another method. (sorry for my English)
My conf:
Nginx (basic auth + exclude some API URLs from auth) - Apache - PHP-FPM - Magento 2.1.9
I have a problem with redirect from base domain to subdomain (default storeview) when calling URL with API string. POST request to api URL works ok. But GET was redirected to default storeview (subdomain URL with SID at the end of it) and goes to infinite loop.
After searching in logs I found wrong IPs in log when calling API URL. Then I found that I miss to add headers in nginx config of API (disable auth) construction.
Something like this:

   }
   location /api/ {
    auth_basic off;
    location /api/ {
    proxy_pass http://XXX.XXX.XXX.XXX:80;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    }
  }

Hello,

I am getting same issue in Magento 2.2.1

I am getting this issue in 2.2.2 CE also.

vendor/magento/framework/Session/SidResolver.php

Find the function and comment the line as below.

public function getUseSessionInUrl()
{
// return $this->_useSessionInUrl;
}

Any suggestion from Magento core team. I am getting it on my Magento 2.2.2 based website. I have disabled use of SID in admin panel. Please give some concrete solution. If you need to see the url of my live website, I can share here.

The problem is that it looks very bad in u of homepage and also in our google adwords and analytics, every url with a unique id is considered as a new url.

@logicallimit: please see the issue progress over here: https://github.com/magento/magento2/issues/9453
It looks like the fix is going to be included in Magento 2.2.4. The commit which should fix the issue (not tested by myself): https://github.com/magento/magento2/commit/38720ea0920622b8b66e2b576ea7d630ff9294c1

Thanks @hostep for the update. However, I will be really grateful if you know about any workaround for this for Magento 2.2.2 and can share here. I have tried the ones suggested in this forum and others available on other websites that suggests to modify the .htaccess file. My website uses https://www. pattern. I have used this in both secured and unsecured url in Magento Admin also. The solution works sometime. I found that after cache clearing it starts behaving randomly.

Following is the entry in my .htaccess file:
RewriteCond %{HTTP_HOST} !^www.domain.com$ [NC]
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

Is it correct or I need to put some other conditions also.

@logicallimit: this is from memory, but I think the above RewriteRule doesn't work when there isn't a request path and you go to the root of the domain name (not 100% sure though). Maybe this will work better:

RewriteCond %{HTTP_HOST} !^www.domain.com$ [NC]
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]

RewriteCond %{HTTP_HOST} !^www.domain.com$ [NC]
RewriteRule ^$ https://www.domain.com/ [R=301,L]

If that doesn't work, maybe try out the suggestion from @jaywilliams, the first couple of lines, it looks fine as well.
But it all comes down to you taking your time to test various scenario's and see what works and what doesn't.

An alternative is to try to patch the commit I mentioned above in your composer installation using https://github.com/cweagans/composer-patches/ or https://github.com/vaimo/composer-patches

@hostep: I added the second set of condition that you mentioned in your reply just below the already existing first condition in my .htaccess and it stopped appending SID to url. Although I have not cleared any cache from my Magento admin panel after adding this new condition. I just want it to keep working without touching anything else unless I really need to play around. In case I clear the cache sometime in future and the SID again gets added, I will update you. As of now it is perfectly working.

Thank you so much for this tip! :)