Using Sessions when Cookies are Disabled

If cookies are disabled we must use a different method to pass the session id between different browsing request. (Since session uses Transient/Session cookie for storing the Session-ID on the client browser we can't use simple implementation of session for storing data on server when user disable the usage of cookie on browser. For more info about usage of cookie in session click here)


A popular method is to pass it in the URL and then process it in the subsequent browsing request using $_GET, e.g.

On index page redirect the request page by using the following code

header("Location : http://www.sitename.com/yourphppage.php?PHPSESSID=".session_id());

Then use the following in the loading page to retrieve the session id:

$_GET['PHPSESSID'];

Using GET is easily hacked.There are also other way to identify the user subsequent browsing request. For example using GET parameter with combination of IP address ($_SERVER['REMOTE_ADDR']),  user agent ($_SERVER[''HTTP_USER_AGENT'']). However, this is also not fully secure and creates performance issues.In any event, with the standard being that cookies typically are enabled, you can simply deny access to visitors who don’t accept cookies

Do session in php uses cookie ?

Yes, Sessions are implemented by using cookies, but the actual data is not in the browser; rather, it is stored in the user's session record on the server and cookies are used to identify a particular end-user's session record on the server records. Hence, they are a more secure way of storing user information.

Session in Php consist of two things.

1. Session data with Session-ID at server,
2. A cookie containing only the reference to the server Session-ID (Transient cookie/Session cookie).

Every session have a Session-ID. Session-ID is a unique value assigned by the server to a specific user, during his visit(session). This session ID is attached to a cookie and this cookie will be shared from client to server (and server to client) during its requests/responses. And server will identify session based on session id which is retrieved from cookie.

• Client-side cookie generated by a session only contains the id reference a random string of 32 hexadecimal digits, such as ‘fca17f071bbg9bf7f85ca281653499a4′ called a ‘Session-ID’.  

• Function session_id() is used to get or set the session id for the current session.

• The constant SID can also be used to retrieve the current name and session id as a string suitable for adding to URLs. See also Session handling.