How do PHP sessions work when cookies are disabled?

Question

I've tried to research this mechanism but only find hints and these are not very consistent. How is the session _id sent to the browser and how is the browser instructed to return it when the user requests a new page?

Thanks, Chris

Answer 1

Sessions work by creating a unique id (UID) for each visitor and store variables based on this UID. The UID is either (1) stored in a cookie or (2) is propagated in the URL.

Answer 2

PHP's own session module supports fetching the session id from GET and POST data (besides cookies). You can use http://uk.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid and http://uk.php.net/manual/en/session.configuration.php#ini.url-rewriter.tags to let php handle the forwarding of the id. But in any case keep in mind that especially if you're using GET to transport the id it's more likely some of your users give away their (valid) session id by accident.

The underlying mechanism doesn't care how the session id was transported from the client to the server. As long as you pass the "right" value to session_id() it will work - even if you do something as weird (stupid?) as abusing the etag-header as a vehicle for the session id ;-)

Answer 3

PHP will do 2 things:

• It will rewrite all links to pass an extra GET parameter, usually PHPSESSID but this can be changed by setting session.name in php.ini
• It will add a hidden input with the same name after all <form> opening tags.

Note that this is a dangerous thing to do, because anyone who you e.g. copy/paste a URL to containing an PHPSESSID parameter will be able to share your login session on the site - the webserver has no easy way of telling that you are different from the person you sent the link to...