cookieless authentication in php5

Question

In my PHP application, I used UserName & Pwd and check the user table in the database to check the validity of users. After the login is successful, I stored the credentials in the Server Session as below:

$_SESSION['username'] = $username;
$_SESSION['pwd'] = $pwd;

And I checked the session to ensure that the user has already logged in. You can see the code below:

if (empty($_SESSION['userId']))
    header("Location: login.php");

The problem is if I disabled the cookie in the browser, I could not go into another page even though the log in is successful. I found out that, the PHP session uses the cookie to store some values in the browser. Is there anyway to use cookieless session in PHP5?

Answer 1

Yes, but you need to append the sessid or sid to every link.

It's described in detail here: http://myles.eftos.id.au/blog/2005/11/26/cookie-less-sessions-in-php/

You also need to change php.ini like so: php_value session.use_trans_sid = 1.

Answer 2

Yes, but you don't want to. In fact, you should only use cookie-based sessions. This is the default configuration as of PHP 5.3. Please read up on session fixation for more information.

What circumstances do you have that force you to require users be able to use your site without cookies?

Answer 3

Yes, you can, by enabling session.use_trans_sid. However, there's security concerns with doing so.

It's generally accepted that in order to login, one needs to accept a cookie.

The other alternative is to use http authorisation instead of sessions, though this also has it's drawbacks.

See session id passing.

Answer 4

You could generate a session id, and add it to your links like this

<?php
session_start();
$session_id = session_id();
header('Location: http://www.test.com/?sess_id='. $session_id);
?>