Ensuring that sessions work even if cookies are turned off

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Ensuring that sessions work even if cookies are turned off

Post by Luke »

Is the only way to ensure that sessions will work with cookies turned off by adding the ?PHPSESSID=blablabla to every link on your site? Is there a better way? I have always wondered, but never asked.
GM
Forum Contributor
Posts: 365
Joined: Wed Apr 26, 2006 4:19 am
Location: Italy

Post by GM »

I often store sessions in a table in the database.

It's an extra couple of queries every page open, but I've not really noticed any significant performance hit.

Doing it this way, you don't need cookies or to add anything to the URL.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

GM wrote:Doing it this way, you don't need cookies or to add anything to the URL.
How? You still need the session ID to link to.

PHP passes it one of two ways - via session cookies, or via the url.

I use db-driven sessions, and if cookies are off, AND you prevent url passing, the sessions do not work (no session id to link to).

Please, if there is a way to do so, I'm interested.
GM
Forum Contributor
Posts: 365
Joined: Wed Apr 26, 2006 4:19 am
Location: Italy

Post by GM »

Yes. You are right.

To be honest, I was assuming that because the sessions were being stored in the database (using a custom session handler), they were no longer being stored in a cookie. But... thinking now about it logically, there needs to be something on the client-side to tell the database what key to look for.

Sorry TNSG, my mistake.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

So, you have to physically append the ?PHPSESSID=blablabla to every link? Is this correct?

Code: Select all

echo "<a href='" . SID . "'>Link</a>";
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

The Ninja Space Goat wrote:So, you have to physically append the ?PHPSESSID=blablabla to every link? Is this correct?

Code: Select all

echo "<a href='" . SID . "'>Link</a>";
Actually, PHP will automagically do so for you, as long as you don't override that behavior.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I think PHP tries to use cookie based sessions first, and if that fails then it resorts to URL SID propogation. That is why when you start a session, the very first page will add the session id to some URLs and to a hidden field in any forms that are on the page.

You don't have to code the URL append, PHP does it automatically.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

hmm... well in my experience it does sometimes and it doesn't other times. I will have to investigate why that is.
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

If you add this right before the session_start(); the PHPSESSID variable in the url should be surpressed.

Code: Select all

ini_set ("session.use_trans_sid","0");
session_start();
Post Reply