views:

153

answers:

5

Is there a way that I can initiate a persistent session in PHP without the placement of a session cookie? Are there other ways of maintaining a session across pages, such as an IP address-based solution?

My reason for asking is, is that although most users have cookies on, I want to see if there's a way for a login system to work for those with it disabled (even though I think disabling cookies is just unnecessary paranoia, personally).

+1  A: 

Technically you can attach the session ID to every URL, but that introduces a really high security problem. Threre is an option in the php.ini for that.

Using a IP address based solution is really risky aswell, because most of the people using the internet get a new IP every 24 hours. If someone happens to get the ip that the admin had the day before, he will be admin for that day.

FlorianH
+1  A: 

You can work with session ID's in URLs, and disabling cookies with:

ini_set('session.use_cookies', 0);
ini_set('session.use_only_cookies', 0);
ini_set('session.use_trans_sid', 1);
session_start();
// IP check
if($_SESSION['ip_check'] != $_SERVER['REMOTE_ADDR']){
   session_regenerate_id();
   session_destroy();
   session_start();
}
$_SESSION['ip_check'] = $_SERVER['REMOTE_ADDR'];
// session stuff

Note: it's highly discougared to use session ID's in URL's. IP addresses can change when travelling around with a wireless card and proxy servers have the same IP address. It's easily broken when clicking 'an old URL' (with the old session ID).

You may also be interested in creating your own session handling function (in conjuction with a database). You would ignore the session ID, and bind it to the IP address. (see examples in http://nl2.php.net/manual/en/function.session-set-save-handler.php)

References:

Lekensteyn
A: 

Here's a nice article that gives you some alternative ideas. In the end it's what Darin Dimitrov suggested put into practice.

klez
man this article was "nice" in the last century but it's 2010 today, if you didn't notice
Col. Shrapnel
In response to this see http://stackoverflow.com/questions/3740845/php-session-without-cookies/3740866#3740866 (in this same question), that is disabling cookies is as much "old-fashioned" as "reading that article"
klez
@Col. Shrapnel: Well, the article *does* say "cool new features of PHP 4" :D
Piskvor
+1  A: 

I don't think it's too much to ask your users to enable cookies. I find it silly when people turn them off entirely.

Otherwise, you can set your session.use_only_cookies to "0" to force the appendage of a session ID to URLs within your php. This approach, however, has several draw backs. Mainly that of keep the state within the URL, as opposed to the Cookie header. If a user were to copy and paste the URL of the page they were on, and someone else were to click on it, they would both be using the same session.

<?php
     ini_set("session.use_cookies",0);
     ini_set("session.use_only_cookies",0);
     ini_set("session.use_trans_sid",1); # Forgot this one!
     session_start();
?>
PureForm
I believe the OP wanted `session.use_cookies` set to 1
Col. Shrapnel
And it should be noted that these settings do not alter JS hyperlinks and Location headers in PHP code.
Col. Shrapnel
Indeed, who still browses with cookies off in 2010? While it's still possible, I doubt anyone still does this; and thus the question is rather academic. (Even the spiders can have cookies now)
Piskvor
+2  A: 

You can set the ini-Value of session.use_trans_sid to true in order to activate appending the session id to every URL. Have a look at this.

For security purposes you should then limit the session to the IP that created the session. This is not perfectly secure though, as someone with the same IP (behind a proxy e.g.) could reuse that very same session.

halfdan