ansaurus

Question

Answer 1

+1 A:

Technically you can attach the session ID to every URL, but that introduces a really high security problem. Threre is an option in the php.ini for that.

Using a IP address based solution is really risky aswell, because most of the people using the internet get a new IP every 24 hours. If someone happens to get the ip that the admin had the day before, he will be admin for that day.

FlorianH 2010-09-18 08:12:00

Answer 2

+1 A:

You can work with session ID's in URLs, and disabling cookies with:

ini_set('session.use_cookies', 0);
ini_set('session.use_only_cookies', 0);
ini_set('session.use_trans_sid', 1);
session_start();
// IP check
if($_SESSION['ip_check'] != $_SERVER['REMOTE_ADDR']){
   session_regenerate_id();
   session_destroy();
   session_start();
}
$_SESSION['ip_check'] = $_SERVER['REMOTE_ADDR'];
// session stuff

Note: it's highly discougared to use session ID's in URL's. IP addresses can change when travelling around with a wireless card and proxy servers have the same IP address. It's easily broken when clicking 'an old URL' (with the old session ID).

You may also be interested in creating your own session handling function (in conjuction with a database). You would ignore the session ID, and bind it to the IP address. (see examples in http://nl2.php.net/manual/en/function.session-set-save-handler.php)

References:

http://nl2.php.net/manual/en/session.configuration.php

Lekensteyn 2010-09-18 08:14:01

Answer 3

A:

Here's a nice article that gives you some alternative ideas. In the end it's what Darin Dimitrov suggested put into practice.

klez 2010-09-18 08:14:10

man this article was "nice" in the last century but it's 2010 today, if you didn't notice

Col. Shrapnel 2010-09-18 08:30:51

In response to this see http://stackoverflow.com/questions/3740845/php-session-without-cookies/3740866#3740866 (in this same question), that is disabling cookies is as much "old-fashioned" as "reading that article"

klez 2010-09-18 08:53:11

@Col. Shrapnel: Well, the article *does* say "cool new features of PHP 4" :D

Piskvor 2010-09-24 11:59:11

Answer 4

+1 A:

I don't think it's too much to ask your users to enable cookies. I find it silly when people turn them off entirely.

Otherwise, you can set your session.use_only_cookies to "0" to force the appendage of a session ID to URLs within your php. This approach, however, has several draw backs. Mainly that of keep the state within the URL, as opposed to the Cookie header. If a user were to copy and paste the URL of the page they were on, and someone else were to click on it, they would both be using the same session.

<?php
     ini_set("session.use_cookies",0);
     ini_set("session.use_only_cookies",0);
     ini_set("session.use_trans_sid",1); # Forgot this one!
     session_start();
?>

PureForm 2010-09-18 08:14:25

I believe the OP wanted `session.use_cookies` set to 1

Col. Shrapnel 2010-09-18 08:27:04

And it should be noted that these settings do not alter JS hyperlinks and Location headers in PHP code.

Col. Shrapnel 2010-09-18 08:33:58

Indeed, who still browses with cookies off in 2010? While it's still possible, I doubt anyone still does this; and thus the question is rather academic. (Even the spiders can have cookies now)

Piskvor 2010-09-24 12:03:41

Answer 5

+2 A:

You can set the ini-Value of session.use_trans_sid to true in order to activate appending the session id to every URL. Have a look at this.

For security purposes you should then limit the session to the IP that created the session. This is not perfectly secure though, as someone with the same IP (behind a proxy e.g.) could reuse that very same session.

halfdan 2010-09-18 08:17:21

ansaurus

tags:

views:

answers:

PHP session without cookies

related questions