PHP session without cookies

Question

Is there a way that I can initiate a persistent session in PHP without the placement of a session cookie? Are there other ways of maintaining a session across pages, such as an IP address-based solution?

My reason for asking is, is that although most users have cookies on, I want to see if there's a way for a login system to work for those with it disabled (even though I think disabling cookies is just unnecessary paranoia, personally).

Answer 1

I don't think it's too much to ask your users to enable cookies. I find it silly when people turn them off entirely.

Otherwise, you can set your session.use_only_cookies to "0" to force the appendage of a session ID to URLs within your php. This approach, however, has several draw backs. Mainly that of keeping the state within the URL, as opposed to the Cookie header. If a user were to copy and paste the URL of the page they were on, and someone else were to click on it, they would both be using the same session.

<?php      ini_set("session.use_cookies", 0);      ini_set("session.use_only_cookies", 0);      ini_set("session.use_trans_sid", 1);      ini_set("session.cache_limiter", "");      session_start(); 

Answer 2

You can set the ini-Value of session.use_trans_sid to true in order to activate appending the session id to every URL. Have a look at this.

For security purposes you should then limit the session to the IP that created the session. This is not perfectly secure though, as someone with the same IP (behind a proxy e.g.) could reuse that very same session.