How to disable PHP session cookie?

Question

I am writing PHP code where I want to pass the session id myself using POST. I don't want a cookie to store the session, as it should get lost when the user gets out of the POST cycle.

PHP automatically sets the cookie where available. I learned it is possible to change this behaviour by setting session.use_cookies to 0 in php.ini. Unfortunately, I don't have access to that file and I also wouldn't want to break the behaviour of other scripts running on the same server.

Is there a way to disable or void the session cookie inside the PHP script?

EDIT: As the proposed solutions don't work for me, I used $_SESSION = array() at positions in the code where I found the session should be invalidated.

Answer 1

Use ini_set():

ini_set('session.use_cookies', '0');

Answer 2

err its possible to override the default settings of your host by creating your own .htaccess file and here's a great tutorial if you havent touched that yet http://www.askapache.com/htaccess/apache-htaccess.html

or if you're too lazy to learn just create a ".htaccess" file (yes that's the filename) on your sites directory and place the following code

SetEnv session.use_cookies='0';

Answer 3

You can also put that setting in .htaccess so it applies to all scripts, otherwise you need to ensure that code is called on each request.

Eg.

php_value session.use_cookies 0

Answer 4

The way to do it is to setup sessions yourself.

In the central include file that all your other files are including (you do have one of those, right?), you need to do a few things as early as is practical.

if( !array_key_exists('sessionid', $_POST) ) {
    // recreate the sessionid
    $sessionid = md5(rand().' '.microtime()); // Or something
} else {
    $sessionid = $_POST['sessionid'];

session_id($sessionid);
session_start();

Now you have to remember that as soon as you start the form, you need to include:

<input type='hidden' name='sessionid'><?= session_id() ?></input>

Answer 5

If you just need to be able to zap a session at a given time, use session_destroy(). If you want to completely end the session, here's a snippet copy/pasted straight out of the documentation:

    <?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>