Session Storage fallback for when cookies are turned off

[johnsmith153]

 

If cookies are turned off then I would like to use local/session storage to maintain the session id.

 

I can do the JS code for local/session storage, but how do I store a session id and maintain it etc?

[Adam]

You can't do it. Cookies are sent in the request headers so PHP has access. localStorage though is purely client-side, PHP cannot read from it. Not to mention you're never going to be in a position where the user's browser supports localStorage but not cookies.

[xyph]

If a user doesn't want to support cookies, it's best not to allow them to maintain a session.

 

Passing it through the query string is dangerous, as it exposes the ID to the user themselves making accidental compromise and potential fixation easier.

[johnsmith153]

If a user doesn't want to support cookies, it's best not to allow them to maintain a session.

 

Passing it through the query string is dangerous, as it exposes the ID to the user themselves making accidental compromise and potential fixation easier.

 

This is what I went with in the end.

 

What made me look at this was how phpfreaks.com passes the session id in the URL (if cookies are off).

 

I was testing a site with cookies off in the browser and realised PHP Freaks still allowed login.