My web host is adding ?PHPSESSID=fgh2h45... to the end of the URL

I'm using iPage.com host. In order to use PHP sessions in their host I need to add 开发者_如何学JAVAsession_save_path('/home/users/web/.../cgi-bin/tmp'); at the start of each page (in my case only index.php because everything goes trough index.php first).

Now, they automatically add the session id to the end of every URL requested like this: website.com/movies/details/?PHPSESSID=4s54kjhdl...

I think this is causing problems and can affect google indexing and SEO..

How to prevent this?

Your "host" isn't causing the issue, PHP is appending this data. Specifically, PHP is configured to append the PHPSESSID variable to the URL to allow PHP to track the session. It's possible to change the relevant setting using ini_set prior to calling session_start, or more permanently by updating the php.ini file (though since you're hosted this last option is probably out). This is a list of the available runtime settings for sessions in PHP.

While you can control whether or not the value is appended to the end of your URLs, it's required to track the sessions. Alternatively you can configure PHP to use cookies to track sessions, but requiring cookies to track sessions may break your application for users who reject cookies.

In short, you can control the session ID to make it a little prettier (by renaming PHPSESSID to something more amenable or making the value less cryptic) but unless you want to use cookies to maintain the session, you're stuck with this "garbage" on your URL. If you only use cookies some users may not be able to maintain the session.

To enable cookie based session handling you can execute either:

// stop PHP from automatically embedding PHPSESSID on local URLs
ini_set('session.use_trans_sid', false);

or

// only use cookies (no url based sessions)
ini_set('session.use_only_cookies', true);

If you can't modify php.ini yourself, you can do the following:

ini_set('session.use_trans_sid',false);

This will cause PHP to use cookie based session handling, and not append the session id to the URL (which could be a security risk anyway).

Either configure it to use cookie-based sessions or turn of sessions entirely.