How to disable PHP session cookie?

Question

I am writing PHP code where I want to pass the session id myself using POST. I don't want a cookie to store the session, as it should get lost when the user gets out of the POST cycle.

PHP automatically sets the cookie where available. I learned it is possible to change this behaviour by setting session.use_cookies to 0 in php.ini. Unfortunately, I don't have access to that file and I also wouldn't want to break the behaviour of other scripts running on the same server.

Is there a way to disable or void the session cookie inside the PHP script?

Answer 1

If you're in a setup with session / header already defined from other app location, you can also remove the Set-Cookie HTTP header with this code block

header_remove("Set-Cookie");

Answer 2

Use ini_set():

ini_set('session.use_cookies', '0');

Or in your php.ini file:

session.use_cookies = 0

Answer 3

If you just need to be able to zap a session at a given time, use session_destroy(). If you want to completely end the session, here's a snippet copy/pasted straight out of the documentation:

// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();

Answer 4

I was having trouble with PHP's documented approach to destroying a session w/ cookies.

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

This was resulting in my seeing the cookie set twice:

Set-Cookie: SESSION_NAME=deleted; expires=Sat, 08-Jan-2011 14:09:10 GMT; path=/; secure
Set-Cookie: SESSION_NAME=1_4f09a3871d483; path=/

As documented in the PHP comments, setting the cookie value to something other than empty ('') gets rid of the "deleted" value, but the second cookie set remained.

To get rid of that, I had to add the code suggested above:

ini_set('session.use_cookies', '0');

I haven't looked at the source for sessions handling, but my guess is that setcookie(...) is bypassing the sessions module, so sessions doesn't know I called it. So, it is setting a default cookie after I set up a deleted cookie.

I was testing on a mac: PHP 5.3.6 with Suhosin-Patch (cli) (built: Sep 8 2011 19:34:00)

Answer 5

The way to do it is to setup sessions yourself.

In the central include file that all your other files are including (you do have one of those, right?), you need to do a few things as early as is practical.

if( !array_key_exists('sessionid', $_POST) ) {
    // recreate the sessionid
    $sessionid = md5(rand().' '.microtime()); // Or something
} else {
    $sessionid = $_POST['sessionid'];

session_id($sessionid);
session_start();

Now you have to remember that as soon as you start the form, you need to include:

<input type='hidden' name='sessionid'><?= session_id() ?></input>

Answer 6

err its possible to override the default settings of your host by creating your own .htaccess file and here's a great tutorial if you havent touched that yet http://www.askapache.com/htaccess/apache-htaccess.html

or if you're too lazy to learn just create a ".htaccess" file (yes that's the filename) on your sites directory and place the following code

SetEnv session.use_cookies='0';

Answer 7

You can also put that setting in .htaccess so it applies to all scripts, otherwise you need to ensure that code is called on each request.

Eg.

php_value session.use_cookies 0