Page 1 of 1

Ensuring that sessions work even if cookies are turned off

Posted: Tue Jun 20, 2006 2:34 am
by Luke
Is the only way to ensure that sessions will work with cookies turned off by adding the ?PHPSESSID=blablabla to every link on your site? Is there a better way? I have always wondered, but never asked.

Posted: Tue Jun 20, 2006 3:15 am
by GM
I often store sessions in a table in the database.

It's an extra couple of queries every page open, but I've not really noticed any significant performance hit.

Doing it this way, you don't need cookies or to add anything to the URL.

Posted: Tue Jun 20, 2006 7:55 am
by Roja
GM wrote:Doing it this way, you don't need cookies or to add anything to the URL.
How? You still need the session ID to link to.

PHP passes it one of two ways - via session cookies, or via the url.

I use db-driven sessions, and if cookies are off, AND you prevent url passing, the sessions do not work (no session id to link to).

Please, if there is a way to do so, I'm interested.

Posted: Tue Jun 20, 2006 8:20 am
by GM
Yes. You are right.

To be honest, I was assuming that because the sessions were being stored in the database (using a custom session handler), they were no longer being stored in a cookie. But... thinking now about it logically, there needs to be something on the client-side to tell the database what key to look for.

Sorry TNSG, my mistake.

Posted: Tue Jun 20, 2006 11:42 am
by Luke
So, you have to physically append the ?PHPSESSID=blablabla to every link? Is this correct?

Code: Select all

echo "<a href='" . SID . "'>Link</a>";

Posted: Tue Jun 20, 2006 12:46 pm
by Roja
The Ninja Space Goat wrote:So, you have to physically append the ?PHPSESSID=blablabla to every link? Is this correct?

Code: Select all

echo "<a href='" . SID . "'>Link</a>";
Actually, PHP will automagically do so for you, as long as you don't override that behavior.

Posted: Tue Jun 20, 2006 12:49 pm
by RobertGonzalez
I think PHP tries to use cookie based sessions first, and if that fails then it resorts to URL SID propogation. That is why when you start a session, the very first page will add the session id to some URLs and to a hidden field in any forms that are on the page.

You don't have to code the URL append, PHP does it automatically.

Posted: Tue Jun 20, 2006 12:59 pm
by Luke
hmm... well in my experience it does sometimes and it doesn't other times. I will have to investigate why that is.

Posted: Tue Jun 20, 2006 12:59 pm
by AKA Panama Jack
If you add this right before the session_start(); the PHPSESSID variable in the url should be surpressed.

Code: Select all

ini_set ("session.use_trans_sid","0");
session_start();