passing session id via url

Question

I'm trying to get my script to use url session id instead of cookies. The following page is not picking up the variable in the url as the session id. I must be missing something.

First page http://www.website.com/start.php

ini_set("session.use_cookies",0);
ini_set("session.use_trans_sid",1);
session_start();
$session_id = session_id();
header("location: target.php?session_id=". $session_id );

Following page - http://www.website.com/target.php?session_id=rj3ids98dhpa0mcf3jc89mq1t0

ini_set("session.use_cookies",0);
ini_set("session.use_trans_sid",1);
print_r($_SESSION);
print(session_id())

Result is a different session id and the session is blank.

Array ( [debug] => no ) pt1t38347bs6jc9ruv2ecpv7o2

Answer 1

It looks like you just need to call session_start() on the second page.

From the docs:

session_start() creates a session or resumes the current one based on the current session id that's being passed via a request, such as GET, POST, or a cookie.

EDIT:

That said, you could also try manually grabbing the session id from the query string. On the second page you'd need to do something like:

ini_set("session.use_cookies",0);
ini_set("session.use_trans_sid",1);
session_id($_GET['session_id']);
print_r($_SESSION);
print(session_id());

Note that the session_id() function will set the id if you pass it the id as a parameter.

Answer 2

be careful when using the url to pass session ids, that could lead to session hijacking via the referer!

Answer 3

My issue was using Flash in FF (as flash piggy backs IE, so sessions are not shared between the flash object and firefox)

Using php 5.3 all these answers pointed at the truth. What I finally found to work was pretty simple.. pass the id in the query string. Set it. THEN start the session.

session_id($_GET['PHPSESSID']); session_start();