Sessions do not work

[darp]

If I have cookies disabled sessions do not work. PHP sessions are not supposed to be dependent on cookies are they?

Here is a little script that shows the results. This was tested on Firefox, Konqueror and Opera.

 

test_one.php

<?php

 

session_start();

 

echo session_id();    //RESULT: n27kncejcd4rt246037989eqn1jui6bj

 

$_SESSION[id]=session_id();

 

echo "<br />";

 

var_dump($_SESSION[id]);    //RESULT: string(32) "n27kncejcd4rt246037989eqn1jui6bj"

?>

<br />

<a href="test_two.php" >Go to Test Two</a>

 

//END OF test_one.php

 

test_two.php

<?php

 

session_start();

 

echo session_id();    //RESULT: m9oh3l865ovrgvb2ue6tdlmnrflpevhb

 

echo "<br />";

 

var_dump($_SESSION[id]);  //RESULT: NULL

?>

 

As you can see, in test_two.php the session_id is reset and $_SESSION[id] is NULL.

 

When cookies are enabled everything has the same value, as it should.

 

Why? Is this a PHP or a sever problem?

 

The domain is localhost on my personal computer.

 

Linux 2.6.31.12-0.2-default x86_64

Apache2.2

PHP 5.3

 

 

[foxsoup]

Sessions still require cookies to be enabled on the client end so that a 'session tracking cookie' can be written which identifies that particular client with a particular session on the server.  A client will need to have cookies enabled to make use of a website that uses either cookies or sessions to remember states across pages.

[Psycho]

There are varying levels of "allowing" cookies. Each browser is different, but you can typically block third-party cookies and first-party cookies with personal info but still allow session cookies. In IE, you would use the Privacy Tab to set this.

[darp]

Thanks, but I get conflicting information about this. I have been setting up an osCommerce store. Apparently the store does not require clients to have cookies enabled. Customers are tracked via sessions alone when they choose to have cookies disabled on their browser. A session id is written to mysql or a tmp directory and passed via the URL ( and some how hidden after the second click for security reasons ) .

 

However, I have not been able to get this to work on my development machine.

 

But you are saying that PHP sessions are dependent on cookies. Is that correct? There is no way to get sessions to work without cookies?

[foxsoup]

The server still needs a method of identifying a client with a session, so it uses a cookie to match the session ID.  From http://www.tuxradar.com/practicalphp/10/0/0 :

 

"Sessions grew up from cookies as a way of storing data on the server side, because the inherent problem of storing anything sensitive on clients' machines is that they are able to tamper with it if they wish. In order to set up a unique identifier on the client, sessions still use a small cookie - this cookie simply holds a value that uniquely identifies the client to the server, and corresponds to a data file on the server."

 

In short, a client with all cookies disabled won't be able to use sessions on your site.

[Psycho]

In short, a client with all cookies disabled won't be able to use sessions on your site.

 

Added emphasis on ALL. As I alluded to previously, you can disable varying levels of cookies.

[foxsoup]

Eeep, slight brainfart moment there.  Corollary to what I stated before, you can pass the session ID via the URL by turning session.use_trans_sid on in your php.ini file, but this is generally discouraged for security reasons plus it makes your URLs look pretty ugly.  I'd recommend some checking up on the implications of using it before putting it into production.