Managing sessions without cookies

[johnsmith153]

Everything I create in PHP, and when using $_SESSION, will just fail to work if cookies are off.

 

I notice that with many sites, including phpfreaks.com that it will automatically append the session id to the URL if cookies are off. So you can still log in and use PHP Freaks even if cookies are turned off in the browser.

 

I know the security risks of this, but I want it to use cookies if the browser settings allow it, but fall back to setting the value in the URL if they are not.

 

I can't get PHP to automatically do this, so what should I do? I just need to get PHP to register the value in the URL (if cookies are off), where as at the moment it just doesn't maintain the session if cookies are off.

 

I'm guessing an answer might be something like: (1) append phpsessid=123 etc. to the URL and (2) add a certain setting to php.ini.

 

Thanks.

[scootstah]

Make sure "session.use_only_cookies" is set to 0 in te php.ini

[johnsmith153]

Hi,

 

Thanks. It is set to 0.

 

So what do I need to do? Just append ?PHPSESSID= to the URL and that is it? Because doing that doesn't work.

 

I must be missing something.

[scootstah]

I think it should be automatic if PHP can't write to the cookie.

[johnsmith153]

Thanks, but it definitely doesn't do everything automatically.

 

I'm sure there's another setting and I need to manually append the session id to the URL on each link.

[scootstah]

I guess you need the session.use_trans_sid option enabled too.

[johnsmith153]

Yes, that does it. Thanks.

 

Now I've thought about it, I think it might be better to use JS/HTML5 local storage as a fallback if cookies are turned off.

 

I can do the JS, but how do I do the server-side part? Is this even possible?

[scootstah]

I'd imagine the chances of supporting that while having cookies disabled is pretty small.

 

Plus, the only thing PHP stores in the cookie is the session ID.

 

I think that a user having cookies disabled is a rare enough event that passing it to the query string is good enough. Or, you could just display a message saying the site will only work properly if they have cookies enabled.

[johnsmith153]

Scootstah, thanks for all the help btw.

 

I'm just thinking that if they have cookies disabled then they may have JS enabled. In that case, use JS and local storage to maintain the session id.

 

Local storage of course doesn't need cookies enabled at all.

 

My only problem would be how I would pass the local storage value to the server.

 

I'm sure it could be done and would prevent having the less secure option of the session id in the URL.