PHP Sessions with Disabled Cookies, Does It Work

PHP Sessions with disabled cookies, does it work?

"A visitor accessing your web site is assigned a unique id, the
so-called session id. This is either stored in a cookie on the user
side or is propagated in the URL. "

Sessions: Introduction

How do PHP sessions work when cookies are disabled?

PHP will do 2 things:

• It will rewrite all links to pass an extra GET parameter, usually PHPSESSID but this can be changed by setting session.name in php.ini
• It will add a hidden input with the same name after all <form> opening tags.

Note that this is a dangerous thing to do, because anyone who you e.g. copy/paste a URL to containing an PHPSESSID parameter will be able to share your login session on the site - the webserver has no easy way of telling that you are different from the person you sent the link to...

What happens if cookies are disabled?

Yes, it's true. Both sessions and normal cookies are normal cookies. If a user does not accept cookies, he cannot use any of the functionality enabled by them. Which means pretty much the whole internet would break for that user, which is why in this day and age there's virtually nobody who has cookies disabled entirely.

PHP has a built-in mechanism called transparent session ids, which automagically rewrites all links to contain the session id in a query parameter. I would not suggest using it, since session ids in the URL open up a whole new can of worms.

For user friendliness, I'd recommend you test whether the user has cookies enabled or not (set a cookie, redirect to the next page with a flag in the URL that cookies should be set, see if you get any cookies back) and if not, kindly advise the user to enable them.

What would happen if cookies are disabled on the system?

That's interesting question.

Although PHP sessions were invented initially to work with cookies disabled, this feature was proven insecure and become somewhat frowned upon nowadays.

However, this feature still works - PHP can rewrite all local links adding session id to them and thus make it transferred from page to page.

Yet it's still insecure, as unsuspecting user may send a hyperlink to a friend, and session id as well - making friend logged in.

How session would uniquely identify the user, etc.?

The idea of a session is not to identify the user but to transfer a session id between separate requests. So, as long as you can manage to do so - you can keep the session. Say, in a modern web-application that is using AJAX all the way, one can do without cookies all right, yet keep application pretty secure - just by means of transferring session id strictly via AJAX calls, not showing it in the address bar.

How to access php sessions when cookies disabled?

You'll have to open your session manager manually, using, for example

<?
session_id($_GET['session_id']); 
session_start();
//you can now acccess $_SESSION['data']

will php handle session automatically if cookies are disabled?

No, you don't have to set this manually PHP handle this for you

It uses the cookies if available, or else it switch to send it via a url,
provided that session.use_trans_sid is enabled

ini_set("session.use_trans_sid", 1);

Notice that URL based session management has additional security risks

and see this link for more infos

Why doesn't session work when cookie is disabled?

Well, because when cookie is disabled, the server has no idea which sessions a client belongs to (no information of the session is passed to the server). If you want to make session work when cookie is disabled, you may have to pass a PHPSESSID in your urls, something that looks like this:

http://example.com/myurl.php?PHPSESSID=[a long string]

PHPSESSID can be generated by using session_id() function.

---

Related Topics