Best IT Recipes

PHP session without cookies

Is there a way to initiate a persistent session in PHP without placing a session cookie? Are there other ways to maintain a session on different pages, such as an IP address based solution?

My reason for requesting is that although most users have cookies, I want to see if there is a way for the login system to work with those who have it disabled (although I believe that disabling cookies is just unnecessary paranoia, personally).

+45
php cookies session
Sep 18 '10 at 8:05
source share
5 answers

I donโ€™t think it is too much to ask your users to enable cookies. I find it stupid when people turn them off completely.

Otherwise, you can set session.use_only_cookies to "0" to force the session id to be added to the URLs inside your php. However, this approach has several feedbacks. Basically, it is saving state in the URL, unlike the Cookie header. If the user had to copy and paste the URL of the page on which they were, and someone else had to click on it, they would both use the same session.

<?php ini_set("session.use_cookies", 0); ini_set("session.use_only_cookies", 0); ini_set("session.use_trans_sid", 1); ini_set("session.cache_limiter", ""); session_start();
+48
Sep 18 '10 at 8:14
source share

You can work with session IDs in URLs and disable cookies with:

 ini_set('session.use_cookies', 0); ini_set('session.use_only_cookies', 0); ini_set('session.use_trans_sid', 1); session_start(); // IP check if($_SESSION['ip_check'] != $_SERVER['REMOTE_ADDR']){ session_regenerate_id(); session_destroy(); session_start(); } $_SESSION['ip_check'] = $_SERVER['REMOTE_ADDR']; // session stuff

Note: it is highly discouraged to use session identifiers in URLs. IP addresses can change when working with a wireless card, and proxy servers have the same IP address. It breaks easily when you click the "old URL" (with the old session identifier).

You may also be interested in creating your own session processing function (combined with a database). You ignore the session identifier and bind it to the IP address. (see examples at http://php.net/manual/en/function.session-set-save-handler.php )

Literature:

+4
Sep 18 '10 at 8:14
source share

You can set the ini-value session.use_trans_sid to true to enable the addition of a session identifier to each URL. Check it out .

For security reasons, you must restrict the session to the IP address that created the session. However, this is not entirely safe, as someone with the same IP (behind a proxy server, for example) can reuse the same session.

+4
Sep 18 '10 at 8:17
source share

You can save the session ID for each IP address in the database:

Create a mysql table with three fields: session_id, ip and a unique temporary key (for registered users) or any other condition that you like. Then disable session cookies and use_trans_sid.

then create code to control session behavior based on this new table!

after session_start() save session_id in the table, and then get it from the table (by IP and any other condition), and then call

 session_id($in_table_session_id);

For more information and a complete guide, see: https://gist.github.com/mimrahe/77415f4a9e238c313bbe8c42f8a6b7fe

+2
Aug 01 '16 at 8:02
source share

You can create a database record or temporary file and check $_SERVER vars for a query each time the page loads. This is a security risk, but with enough variables (see here), you may feel that you have a chance to capture an acceptable level; only you know how secure your application is.

0
Aug 01 '16 at 8:11
source share


More articles:


All Articles