Using Sessions when Cookies are Disabled

Friday, 11 January 2013 , , 0

If cookies are disabled we must use a different method to pass the session id between different browsing request. (Since session uses Transient/Session cookie for storing the Session-ID on the client browser we can't use simple implementation of session for storing data on server when user disable the usage of cookie on browser. For more info about usage of cookie in session click here)


A popular method is to pass it in the URL and then process it in the subsequent browsing request using $_GET, e.g.

On index page redirect the request page by using the following code

header("Location : http://www.sitename.com/yourphppage.php?PHPSESSID=".session_id());

Then use the following in the loading page to retrieve the session id:
$_GET['PHPSESSID'];

Using GET is easily hacked.There are also other way to identify the user subsequent browsing request. For example using GET parameter with combination of IP address ($_SERVER['REMOTE_ADDR']),  user agent ($_SERVER[''HTTP_USER_AGENT'']). However, this is also not fully secure and creates performance issues.In any event, with the standard being that cookies typically are enabled, you can simply deny access to visitors who don’t accept cookies

Do session in php uses cookie ?

Thursday, 10 January 2013 , 0

Yes, Sessions are implemented by using cookies, but the actual data is not in the browser; rather, it is stored in the user's session record on the server and cookies are used to identify a particular end-user's session record on the server records. Hence, they are a more secure way of storing user information.

Session in Php consist of two things.

  1. Session data with Session-ID at server,
  2. A cookie containing only the reference to the server Session-ID (Transient cookie/Session cookie).

Every session have a Session-ID. Session-ID is a unique value assigned by the server to a specific user, during his visit(session). This session ID is attached to a cookie and this cookie will be shared from client to server (and server to client) during its requests/responses. And server will identify session based on session id which is retrieved from cookie.

  • Client-side cookie generated by a session only contains the id reference a random string of 32 hexadecimal digits, such as ‘fca17f071bbg9bf7f85ca281653499a4′ called a ‘Session-ID’.  
  • Function session_id() is used to get or set the session id for the current session.
  • The constant SID can also be used to retrieve the current name and session id as a string suitable for adding to URLs. See also Session handling.

Php Configuration File (php.ini)

Monday, 31 December 2012 , 0

The 'php.ini' file is the default configuration file for running applications that require PHP. It is used to control variables such as script execution time, upload sizes etc. Some common setting variables with description are as follows:

Category Variable Default Value Description
Register Global register_globals Off Whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. For more detail read here
File Upload file_uploads On Whether to allow HTTP file uploads.
upload_tmp_dir NULL Temporary directory for HTTP uploaded files (will use system default if not specified).
upload_max_filesize 2M Maximum allowed size for uploaded files. PHP allows shortcuts for bit values, including K (kilo), M (mega) sand G (giga).
max_file_uploads 20 The maximum number of files allowed to be uploaded simultaneously.
Post post_max_size 8M Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than 'upload_max_filesize'. Default value is 8Mb.
Session session.gc_maxlifetime 1440 Default sessin time in php. The default value is on seconds (1440 sec = 24 min)
session.auto_start 0 Initialize session on request startup.(Turning on session support automatically at site level)
Resource Limit max_execution_time 30 Maximum execution time of each script, in seconds.
Error Reporting error_reporting E_ALL Display types of error. E_ALL display all types of error.

Full directives can be found at here (php official website).

Older Posts

Related Posts Plugin for WordPress, Blogger...
Powered by Blogger.

Engine: Blogger Design:Ugesi Converted by LiteThemes.com