Example: Automatically appending session ID to all URLs
<?php ini_set('session.use_trans_sid',true); ini_set('session.use_only_cookies',false); // block cookies in browser OR uncomment following line // ini_set('session.use_cookies',false); session_start(); echo SID; ?> <div> <a href="next.php">Next Page</a> <a href="prev.php">Prev Page</a> <a href="php/index.html">PHP</a> <a href="asp/index.html">ASP</a> </div>
The above code snippet returns the following output:
The session ID has to be sent to the browser with every response and much more importantly has to be sent back to the server with every request.
The easiest way to do so is to use cookies. PHP then sends a cookie with the name PHPSESSID
(can be changed with the php.ini directive session.name
) to the client. However, for this to happen, the following php.ini
directive must be set:
session.use_cookies = 1
Or use PHP’s runtime configuration:
<?php ini_set("session.use_cookies",true);
However, what happens if the client does not support cookies? Then, a second mechanism comes into play, in the form of the following directive:
session.use_trans_sid = 0
Then, PHP automatically falls back into a mode in which the session ID is appended automatically to all URLs. Almost all relevant e-commerce websites use this mechanism. If you go to their website and load a page, the session ID is automatically appended to the end of the URL.
To be able to use session.user_trans_sid
, PHP must be compiled with the switch enable-trans-sid
, something that is automatically done for the Windows binaries.
<?php ini_set("session.use_trans_sid",true);
The other option is to allow only cookies, not session IDs, in URLs. To do so, you can use the following php.ini
directive:
session.use_only_cookies = 1
In the example, we disabled both session.use_cookies and session_use_only_cookies directives and enabled the session.use_trans_sid directive to force PHP to use the session id in URLs automatically:
<?php ini_set('session.use_trans_sid',true); ini_set('session.use_cookies',false); ini_set('session.use_only_cookies',false); session_start(); echo SID; ?> <div> <a href="next.php">Next Page</a> <a href="prev.php">Prev Page</a> <a href="php/index.html">PHP</a> <a href="asp/index.html">ASP</a> </div> <!-- Output: PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td <div> <a href="next.php?PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td">Next Page</a> <a href="prev.php?PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td">Prev Page</a> <a href="php/index.html?PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td">PHP</a> <a href="asp/index.html?PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td">ASP</a> </div> -->
The embedded links automatically assigned session variables. PHP also sets the constant SID
that contains the session ID in the form suitable to use as a URL query string.
PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td
Note: If the session uses a cookie to store the session ID, PHP sets the value of SID
to be a blank string.
Session IDs in the URL are generally bad; because people could bookmark this information, some search engines will not include your sites, and so on. However, every e-commerce website (and most other websites as well) must take into account that some visitors (potential clients!) do not like or do not support cookies. Here, sessions offer a convenient way to overcome this limitation.
Manually Creating Session-Aware Links
Using session.use_trans_sid
to automatically update all links to contain the session ID, if the client does not support cookies or blocked cookies.
If you want those links to be dynamically generated by PHP. To do so, PHP offers two functions that provide all information that is needed:
session_name()
returns the name of the session.session_id()
returns the current session’s ID.
Example: Manually appending session ID to all URLs
<?php session_start(); $sid = ''; if (SID == '') { $name = urlencode(session_name()); $id = urlencode(session_id()); $sid = $name.'='.$id; } echo '<a href="next.php?'.$sid.'">Next</a>'; //<a href="next.php?PHPSESSID=9bd9r53f88bkno4ts0l6bcbm03"...
Therefore, the preceding code creates a dynamic link that contains this information, enabling the programmer to make dynamic links session-aware.
SID Constant
Constant containing either the session name and session ID in the form of “name=ID” or empty string if session ID was set in an appropriate session cookie. This is the same id as the one returned by session_id().
https://php.net/manual/session.constants.php
The previous example prints the session-id twice if the session.use_trans_sid
enabled in the php.ini file and the client blocked the cookies (or not supported the cookies):
<a href="next.php?PHPSESSID=c366lf4btc3pl05ilos7okhpoo&PHPSESSID=c366lf4btc3pl05ilos7okhpoo">Next</a>
To prevent this behavior we use the PHP’s predefined constant SID
to test whether the PHP is going to send session ID automatically.
<?PHP session_start(); if (SID ==) { //PHP not appending session ID automatically //Manually append session ID to all URLs }
Sending Session ID in Forms
When you use an HTML form, PHP automatically appends the session ID to the action
attribute of the form. However, if you want to use dynamic forms, you can add a hidden form field to the form, containing the session information:
<?php session_start(); $name = htmlspecialchars(session_name()); $id = htmlspecialchars(session_id()); echo '<input type="hidden" name="'.$name.'" value="'.$id.'">';
Cookies and Sessions: