Categories
PHP

Creating Sessions Without Cookies

How to use PHP sessions if the client browser does not support (or blocked) cookies?

Example: Automatically appending session ID to all URLs

<?php
 ini_set('session.use_trans_sid',true);
 ini_set('session.use_only_cookies',false);

 // block cookies in browser OR uncomment following line
 // ini_set('session.use_cookies',false);

 session_start();
 echo SID;
?>

 <div>
  <a href="next.php">Next Page</a>
  <a href="prev.php">Prev Page</a>

  <a href="php/index.html">PHP</a>
  <a href="asp/index.html">ASP</a>
 </div>

The above code snippet returns the following output:

Viewing source on Chrome browser

The session ID has to be sent to the browser with every response and much more importantly has to be sent back to the server with every request.

The easiest way to do so is to use cookies. PHP then sends a cookie with the name PHPSESSID (can be changed with the php.ini directive session.name) to the client. However, for this to happen, the following php.ini directive must be set:

session.use_cookies = 1

Or use PHP’s runtime configuration:

<?php
 ini_set("session.use_cookies",true);

However, what happens if the client does not support cookies? Then, a second mechanism comes into play, in the form of the following directive:

session.use_trans_sid = 0

Then, PHP automatically falls back into a mode in which the session ID is appended automatically to all URLs. Almost all relevant e-commerce websites use this mechanism. If you go to their website and load a page, the session ID is automatically appended to the end of the URL.

To be able to use session.user_trans_sid, PHP must be compiled with the switch enable-trans-sid, something that is automatically done for the Windows binaries.

<?php
 ini_set("session.use_trans_sid",true);

The other option is to allow only cookies, not session IDs, in URLs. To do so, you can use the following php.ini directive:

session.use_only_cookies = 1

In the example, we disabled both session.use_cookies and session_use_only_cookies directives and enabled the session.use_trans_sid directive to force PHP to use the session id in URLs automatically:

<?php
 ini_set('session.use_trans_sid',true);
 ini_set('session.use_cookies',false);
 ini_set('session.use_only_cookies',false);
 session_start();
 echo SID;
?>

 <div>
  <a href="next.php">Next Page</a>
  <a href="prev.php">Prev Page</a>

  <a href="php/index.html">PHP</a>
  <a href="asp/index.html">ASP</a>
 </div>

<!--
Output:
PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td
 <div>
  <a href="next.php?PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td">Next Page</a>
  <a href="prev.php?PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td">Prev Page</a>

  <a href="php/index.html?PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td">PHP</a>
  <a href="asp/index.html?PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td">ASP</a>
 </div>
-->

The embedded links automatically assigned session variables. PHP also sets the constant SID that contains the session ID in the form suitable to use as a URL query string.

PHPSESSID=2mo7vhlspgr0a4dkaf1njfu1td

Note: If the session uses a cookie to store the session ID, PHP sets the value of SID to be a blank string.

Session IDs in the URL are generally bad; because people could bookmark this information, some search engines will not include your sites, and so on. However, every e-commerce website (and most other websites as well) must take into account that some visitors (potential clients!) do not like or do not support cookies. Here, sessions offer a convenient way to overcome this limitation.

Manually Creating Session-Aware Links

Using session.use_trans_sid to automatically update all links to contain the session ID, if the client does not support cookies or blocked cookies.

If you want those links to be dynamically generated by PHP. To do so, PHP offers two functions that provide all information that is needed:

  • session_name() returns the name of the session.
  • session_id() returns the current session’s ID.

Example: Manually appending session ID to all URLs

<?php
 session_start();
 $sid = '';
 if (SID == '') {
  $name = urlencode(session_name());
  $id = urlencode(session_id());
  $sid = $name.'='.$id;
 }
 echo '<a href="next.php?'.$sid.'">Next</a>';
 
 //<a href="next.php?PHPSESSID=9bd9r53f88bkno4ts0l6bcbm03"...

Therefore, the preceding code creates a dynamic link that contains this information, enabling the programmer to make dynamic links session-aware.

SID Constant

Constant containing either the session name and session ID in the form of “name=ID” or empty string if session ID was set in an appropriate session cookie. This is the same id as the one returned by session_id().

https://php.net/manual/session.constants.php

The previous example prints the session-id twice if the session.use_trans_sid enabled in the php.ini file and the client blocked the cookies (or not supported the cookies):

<a href="next.php?PHPSESSID=c366lf4btc3pl05ilos7okhpoo&PHPSESSID=c366lf4btc3pl05ilos7okhpoo">Next</a>

To prevent this behavior we use the PHP’s predefined constant SID to test whether the PHP is going to send session ID automatically.

<?PHP
 session_start();
 if (SID ==) {
  //PHP not appending session ID automatically
  //Manually append session ID to all URLs
 }

Sending Session ID in Forms

When you use an HTML form, PHP automatically appends the session ID to the action attribute of the form. However, if you want to use dynamic forms, you can add a hidden form field to the form, containing the session information:

<?php
 session_start();
 $name = htmlspecialchars(session_name());
 $id = htmlspecialchars(session_id());
 echo '<input type="hidden"
        name="'.$name.'"
        value="'.$id.'">';

Cookies and Sessions: