PHP Sessions with disabled cookies, does it work?

if cookies are disabled in your browser will session work in asp net
how to manage session if cookies are disabled
session and cookies in php
what if cookies are disabled
php session id cookie
session vs cookie in php
does session use cookies
difference between cookies and session in php

Today I had skype interview for a job as PHP developer, one of the questions asked was about Cookies and PHP Sessions.

The question was, can PHP session be set and read, used, if Cookies are disabled in users Browser?

I told them not, beacuse PHP Sessions by default depends on setting a session cookie. When PHP session starts, new session Cookie is set with default name PHPSESSID, and that cookie holds value of that session id, for example: ftu63d8al491s5gatuobj39gk7 Then on apache server in tmp folder file sess_ftu63d8al491s5gatuobj39gk7 is created and it holds content of that session, for example: test1|s:12:"SessionTest1";test2|s:12:"SessionTest2";

They told me that's not true, and that you can use PHP Sessions even if user disables cookies in his browser.

Then I told them that you can do that, but then session id would be passed through URL as GET variable. And that's not secure and you must set it up in php.ini.

They were talking how you can use PHP Sessions even if Cookies are disabled in browser. And what if we are building web shop, and some granny uses our web shop and disables cookies and she joust don't care. And that PHP Sessions are great because you can use them even if user disables Cookies. I was like wtf, wtf wtf?!?!

I made test with two files, index.php starts session and sets session variables. And then session.php tries to read that session variables.

This is how it looks:

index.php

<p>This is where I start and set php sessions.</p>

<?php

    session_start();
    $_SESSION['test1'] = "SessionTest1";
    $_SESSION['test2'] = "SessionTest2";

?>

<p>This is a link, that starts new HTTP Request, and tries to read session set on this page:</p>
<p><a href="session.php">Read Session</a></p>

session.php

<?php

    session_start();
    var_export($_SESSION);

?>

<p><a href="index.php">Back</a></p>

Now, if you enable cookies in your browser, visit index.php, and the visit session.php , session would be printed out.

But, if you clear your browser history and cookies, and then visit index.php, and then visit session.php, you would see empty array right?

So basically my question is, am I right? Can you use PHP sessions if you disable cookies in your browser? And do PHP Session mechanism by default, depends on setting a session COOKIE?

Update: I was going mad about this, so I called back the guy I was talking with. And asked him, can PHP session work without cookies by default? The guy said "yes". Then I told him he is wrong and he said: "yes, yes, if you say so..." and start laughing. Then I told him, ok if PHP session can work without setting cookie, how would server know current user/browser session id, if its not stored in a session cookie? (I wanted to see if he knows that session id can be passed as GET variable) And he was quiet for at least 20s, and told me that he is a System Administrator, and that I should ask that the Developer guy. And that he is 43 years old and has huge experience of 13 years in the bussines (he started with 30? wtf?), but he trusts me on this one. And I explained him how Session work and that you can use it without Cookie but then session id is passed as GET variable, and told him I told them that on interview, but they ware telling me no, no no... :S

So basically, the guy didn't have a clue about PHP and PHP Sessions, and yes he was the one that asked me about sessions telling me that PHP Session can work without cookie, even when I told him it cant be done, and that there is a way to use PHP Sessions without cookies but it won't work by default. He was like, no no no... At the end he told me that he was thinking that sessions can work without cookies because he, as System Admin on his servers, can never see sessions in tmp folder?!?!?

Anyway, those guys suck at PHP, there is no way I will accept job offer from them, and after all this I dont think they will offer me a job anyway...

Thanks for all the comments!

"A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. "

Sessions: Introduction

PHP Sessions with disabled cookies, does it work?, Then I told him, ok if PHP session can work without setting cookie, how would server know current user/browser session id, if its not stored in a session cookie? Short answer is YES but it is not recommended to do so, the session identifier will then be passed via the query string and that’s a terrible idea . For the longer answer please refer to the SO question and read it thoroughly.

If session.use_cookies = 1 (Cookie enabled.)

If session.use_cookies = 0 (Cookie disabled.)

If session.use_cookies = 1 then session stores the sessionId into cookie. Calling session_id() get the stored sessionId from cookie and saved data into session array will be found on all the pages. If session.use_cookies = 0 In this case session does not store sessionId into cookie and you will get each time a new sessionId using session_id() and data stored into session on other pages will not be found on another pages.

How does session work if browser cookies are disabled in PHP , Short answer is YES but it is not recommended to do so, the session identifier will then be passed via the query string and that's a terrible idea . In general sense: If Cookie is disabled by browser session do not work. The most common case is mobile phone browser. In mobile phone browser cookie is disabled by default. But Session and Cookie is strongly co-related. Because using cookie value server can recall which user is currently requesting.

Yes session will work when cookies is disabled. But first apache check php configuration settings. Like:

   --enable-trans-sid
and
   --enable-track-vars

if these value are set true the session will passed by POST automatically.

If "--enable-trans-sid" and "--enable-track-vars" values are set to FALSE, we need to pass session id by using the SID constant.

< a href="index.php?<?= SID ?>" >Navigate from here< /a >

Need to set php.ini

ini_set("session.use_cookies", 0);
ini_set("session.use_trans_sid", 1);

php, Hi , IF Client disabled the cookies..my question is .. Will session works in PHP..​and if yes how it Yes session is still will be worked if cookie is disabled. because every one know that session using cookie to stored. data but when cookie is disable on client side so it uses. two different process to send sessionId to the server..

how to work with sessions when cookies are disabled - PHP, In general sense: If Cookie is disabled by browser session do not work. The most common case is mobile phone browser. In mobile phone  The answer to how PHP sessions can work without cookies. Sessions in PHP normally do use cookies to function. But, PHP sessions can also work without cookies in case cookies are disabled or rejected by the browser that the PHP server is trying to communicate with. How PHP sessions work without cookies. PHP does two things in order to work without cookies: 1.

If it was me, I would say "Yes"

Since you could store session in form / url somewhere to passed to next page (very bad idea). So, based on his question "can PHP session be set and read, used, if Cookies are disabled in users Browser?"

Then, it should be yes. It can read and used.

However, If user close browser, then it's gone, and that's it. (since that guy didn't ask about this part)

Where does session stored if cookie is disabled on client's machine?, By this sessionid server recognizes the request.By default the sessionid stores in Cookies but if cookies is disabled on browser or cookiesless  Sessions are considered more secure than cookies because the variables themselves are kept on the server. Here's how it works: Server opens a session (sets a cookie via HTTP header) Server sets a session variable. Client changes page. Client sends all cookies, along with the session ID from step 1.

PHP Session & PHP Cookies with Example, Sessions are like global variables stored on the server. it used to track the variables for a The diagram shown below illustrates how cookies work. 3) Other page requests from the user will return the cookie name and value. +1 seems like a lot of work but it is definitely a workaround url-session-ids and cookies. maybe even more secure if you have a random string generated per form. combining the form's random string and a hidden session-id, you are almost certain an authorized user is making the request. i know ror uses something like this.

Session Management Without Cookies : PHP, A change that can be made to the default PHP session management is to A simple experiment that illustrates what happens when users disable cookies is to accept cookies, and session-based applications won't work unless they The session identifier that would have been sent as a cookie in this  If this is the case then PHP responds by passing the cookie token in the URL. The diagram shown below illustrates how cookies work. Here, 1) A user requests for a page that stores cookies . 2) The server sets the cookie on the user’s computer . 3) Other page requests from the user will return the cookie name and value . In this tutorial, you will learn-

Do PHP sessions use cookies in any way? - PHP, If your users completely disable cookies then using the querystring is the only way they can get the session to work and if you turned off that option so as to stop​  Why Do PHP Cookies and Sessions Work Even When Cookies Are Disabled?. PHP Forums on Bytes.

Comments
  • No, it doesn't. How do you store state without cookies?
  • No as "no you are not right!", or no as "no you cant set session with disabled cookies"? :D
  • you can use sessions with out cookies, the session id then is passed in the url instead of a cookie
  • Security issue is if you copy your URL to a friend, then he has your session ID and can act as you. You cant do that with cookie, by accident!
  • Risk is no different with a cookie. The person sitting at the computer after you leave has your cookies.
  • i searched --enable-trans-sid and --enable-track-vars but didn't found neither in php.ini nor in http.conf
  • you have cookies or not? system couldnt understand your intentions. your example is this. But for the systems like gmail people count on more secure methods. Without cookies session tracking possible and many other methods exists like session.use_cookies = 0 (Cookie disabled.)
  • You are right, session tracking without cookies is possible if we do some modification in php ini file like session.use_trans_sid set to 1.