PHP Sessions with disabled cookies, does it work?

Question

"A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. "

Sessions: Introduction

If session.use_cookies = 1 (Cookie enabled.)

If session.use_cookies = 0 (Cookie disabled.)

If session.use_cookies = 1 then session stores the sessionId into cookie. Calling session_id() get the stored sessionId from cookie and saved data into session array will be found on all the pages. If session.use_cookies = 0 In this case session does not store sessionId into cookie and you will get each time a new sessionId using session_id() and data stored into session on other pages will not be found on another pages.

Yes session will work when cookies is disabled. But first apache check php configuration settings. Like:

   --enable-trans-sid
and
   --enable-track-vars

if these value are set true the session will passed by POST automatically.

If "--enable-trans-sid" and "--enable-track-vars" values are set to FALSE, we need to pass session id by using the SID constant.

< a href="index.php?<?= SID ?>" >Navigate from here< /a >

Need to set php.ini

ini_set("session.use_cookies", 0);
ini_set("session.use_trans_sid", 1);

So basically my question is, am I right?

Mostly. In the real world: YES.

Can you use PHP sessions if you disable cookies in your browser?

You CAN use PHP sessions without cookies, as long as the browser identity is obtained somehow and yields a unique value (and this value is passed to the PHP session layer):

• session ID in GET (which is the "standard" PHP way if cookies are not allowed, and the "other" way you described). This value is then propagated automatically by PHP, e.g. added to all A HREF's and so on. Where it is not propagated because the automagical link recognition failed (e.g. complex URL built in Javascript), it is your responsibility to provide accordingly.

Or - and here we're not in Kansas anymore:

• passed among the nonces with Auth Digest (this is a dirty trick, and of course requires that the whole site is behind an Auth-Digest access authentication scheme. And you can no longer use a "dummy auth" (i.e. http://welcome:[email protected] ) because some browsers, e.g. Internet Explorer, do not support them anymore for security reasons)
• recognizing the browser some other way ("fingerprinting") (this is normally(1) suicidal)
• Use LSO (Local Shared Objects) to generate a random UUID if it's not there already, and store it so that it can be retrieved on subsequent accesses.
• other ways ( see http://en.wikipedia.org/wiki/Evercookie )

(1) if you were in a LAN where you can trust the IPs, you could associate a "session" to the user IP. You might enforce a strict "no cookies" policy in a small firm and still have user sessions without resorting to _GET/_POST for your session ID.

You are right, Session cannot work without cookies. To illustrate this try doing the following actions.

1. Login To Gmail.
2. After login disabled the cookies.
3. Refresh the page.

You will be redirected to the login page again as the server cannot identify the session.

1. Now again enable the cookies.
2. Refresh the page. (Note: Don't click on login button).
3. You will be automatically redirected to the Gmail inbox.

Hence, we can say without cookies session will not work.

Also, If you are trying to login into the gmail( taking as example you can take any website) with diabled cookies then it will message as "Your browser has cookies disabled. Make sure your cookies are enabled and try again."