Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP Sessions with disabled cookies, does it work?

Tags:

php

cookies

session

People also ask

Will session work if cookies is disabled in PHP?

So, based on his question "can PHP session be set and read, used, if Cookies are disabled in users Browser?" Then, it should be yes. It can read and used.

What happens if cookies are disabled?

4] Disabling the cookies makes your web browsing less convenient. When you clear all your cookie data, your web browser won't be able to remember your site preferences. 5] Disabling or clearing the cookie data will delete your login information and suggestions. Hence, you have to re-enter the information again.

How session is maintained when cookies are disabled?

Session never stores on Cookies. Whenever we create an session a unique SessionID generates. By this sessionid server recognizes the request.By default the sessionid stores in Cookies but if cookies is disabled on browser or cookiesless session is configured in web.

Can we maintain session without cookies?

If its a public session then yes, you can use no cookies session.

"A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. "

Sessions: Introduction


If session.use_cookies = 1 (Cookie enabled.)

If session.use_cookies = 0 (Cookie disabled.)

If session.use_cookies = 1 then session stores the sessionId into cookie. Calling session_id() get the stored sessionId from cookie and saved data into session array will be found on all the pages. If session.use_cookies = 0 In this case session does not store sessionId into cookie and you will get each time a new sessionId using session_id() and data stored into session on other pages will not be found on another pages.


Yes session will work when cookies is disabled. But first apache check php configuration settings. Like: 

   --enable-trans-sid
and
   --enable-track-vars

if these value are set true the session will passed by POST automatically.

If "--enable-trans-sid" and "--enable-track-vars" values are set to FALSE, we need to pass session id by using the SID constant.

< a href="index.php?<?= SID ?>" >Navigate from here< /a >

Need to set php.ini

ini_set("session.use_cookies", 0);
ini_set("session.use_trans_sid", 1);

So basically my question is, am I right?

Mostly. In the real world: YES.

Can you use PHP sessions if you disable cookies in your browser?

You CAN use PHP sessions without cookies, as long as the browser identity is obtained somehow and yields a unique value (and this value is passed to the PHP session layer):

  • session ID in GET (which is the "standard" PHP way if cookies are not allowed, and the "other" way you described). This value is then propagated automatically by PHP, e.g. added to all A HREF's and so on. Where it is not propagated because the automagical link recognition failed (e.g. complex URL built in Javascript), it is your responsibility to provide accordingly.

Or - and here we're not in Kansas anymore:

  • passed among the nonces with Auth Digest (this is a dirty trick, and of course requires that the whole site is behind an Auth-Digest access authentication scheme. And you can no longer use a "dummy auth" (i.e. http://welcome:[email protected] ) because some browsers, e.g. Internet Explorer, do not support them anymore for security reasons)
  • recognizing the browser some other way ("fingerprinting") (this is normally(1) suicidal)
  • Use LSO (Local Shared Objects) to generate a random UUID if it's not there already, and store it so that it can be retrieved on subsequent accesses.
  • other ways ( see http://en.wikipedia.org/wiki/Evercookie )

(1) if you were in a LAN where you can trust the IPs, you could associate a "session" to the user IP. You might enforce a strict "no cookies" policy in a small firm and still have user sessions without resorting to _GET/_POST for your session ID.


You are right, Session cannot work without cookies. To illustrate this try doing the following actions.

  1. Login To Gmail.
  2. After login disabled the cookies.
  3. Refresh the page.

You will be redirected to the login page again as the server cannot identify the session.

  1. Now again enable the cookies.
  2. Refresh the page. (Note: Don't click on login button).
  3. You will be automatically redirected to the Gmail inbox.

Hence, we can say without cookies session will not work.

Also, If you are trying to login into the gmail( taking as example you can take any website) with diabled cookies then it will message as "Your browser has cookies disabled. Make sure your cookies are enabled and try again."

Related questions

Short unique id in php
Strip out HTML and Special Characters
Calculating image size ratio for resizing
Invalid column count in CSV input on line 1 Error
Laravel - display a PDF file in storage without forcing download?
PHP to search within txt file and echo the whole line
Permission denied: /var/www/abc/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable?
UTC Offset in PHP
How to retrieve all Variables from a Twig Template?
Redirect url to previous page in laravel
Remove style attribute from HTML tags
How to determine file age using PHP?
Exuberant Ctags on Mac
What is the difference between PHP echo and PHP return in plain English?
Setting up Laravel on a Mac php artisan migrate error: No such file or directory [duplicate]
Strip off URL parameter with PHP
Build working libcurl with WinSSL, NTLM, HTTP2, SSH2 and IPv6 support
Why would Magento fail to save a customer after generating an ID?
Strategy for developing namespaced and non-namespaced versions of same PHP code
Zig-zag scan an N x N array

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!