So would u be able to post here a simple php login script that uses sessions instead of cookies?
And can you make sessions expire? Because i read that if a person sends their session id url to another person then the other person will be able to login with just the url.
Probably both, depending on your PHP configuration.
Typically, a cookie is stored in the client browser. That cookie name is (by default PHPSESSID), and its value is the session ID allocated by PHP. If you have a cookie editor for your browser (an extremely useful testing tool), you can actually see this. The browser also holds a record of the domain which issued the cookie, and its lifetime... all pieces of information set by PHP when it sends the response headers instructing the browser to create the cookie.
Subsequently, whenever the browser sends a request to the server matching its domain and within the cookie lifetime, the cookie name/value itself is also sent to the server. If the browser sends a request to a server in a non-matching domain, or the cookie lifetime has expired, the cookie name/value is not sent with the request.
As an alternative, it is possible to configure PHP so that it doesn't use a cookie, but sends the session id key/value pair as part of the request as a $_GET or $_POST parameter... you might then see the session iD value in the address bar.
The value of the session cookie matches a session file held on the server (typically in the /tmp directory, with a prefix of "sess_"), and it is in this file that all the session data is held. That data is not available to the browser, only to the PHP script.