From 03ec6ce0a91531edaafef653998681248631760b Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Mon, 26 Jul 2021 21:03:14 +0200
Subject: [PATCH] [ticket/16825] Do not use session ID from URL if force_sid is
 not enabled

PHPBB3-16825
---
 phpBB/phpbb/session.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php
index 400970242d..eb038cc8e5 100644
--- a/phpBB/phpbb/session.php
+++ b/phpBB/phpbb/session.php
@@ -275,7 +275,7 @@ class session
 			$SID = '?sid=';
 			$_SID = '';
 
-			if (empty($this->session_id))
+			if (empty($this->session_id) && $phpbb_container->getParameter('session.force_sid'))
 			{
 				$this->session_id = $_SID = $request->variable('sid', '');
 				$SID = '?sid=' . $this->session_id;
@@ -284,7 +284,7 @@ class session
 		}
 		else
 		{
-			$this->session_id = $_SID = $request->variable('sid', '');
+			$this->session_id = $_SID = $phpbb_container->getParameter('session.force_sid') ? $request->variable('sid', '') : '';
 			$SID = '?sid=' . $this->session_id;
 		}