views:

63

answers:

2

Is it true that if a script sets a cookie and if the user's browser is set to not accept cookies, then the set cookie function will detect this and instead set a session?

+9  A: 

No.

Additionaly, cookies and sessions are not directly comparable. In fact, cookies are typical part of the implementation of sessions.

You can, of course, detect if the user accepts cookies. Server-side this can be made by setting a cookie, forwarding the user and checking if the user sent the just set cookie in the new request.

Keep in mind:

  • Sessions are a more abstract concept; it's associating a user to some data that is stored server-side. This is generally implemented with cookies – the cookie stores a key that identifies the stored data; the user sends this keys on every request so that the server can know which data to use. The alternative to cookies is to pass this key in the URL on every request. This is less desirable because it pollutes the URL and may expose the users to some security risks (session fixation).
  • Cookies are merely pieces of data that the server requests the user send it back on every request (to itself or to some broader set of servers).
Artefacto
+1  A: 

I guess you mean the session.use_trans_sid setting:

If you set this setting: ini_set('session.use_trans_sid', 1); than PHP attaches the session ID to the URL if there are no cookies available.

BurninLeo
I don't think it works as a fallback, but I may be wrong.
Artefacto
That is correct: The session ID will be attached to any link if SID is active. It will make sessions work if cookies are disabled, but it will also make it easier to retrieve the session key (for example from the browser history). And it makes the links a bit more ugly ;)
BurninLeo