/    Sign up×
Community /Pin to ProfileBookmark

[RESOLVED] $_SESSIONS not working with cookies disabled

Copy linkTweet thisAlerts:
Dec 15.2009

Hi,
When I disable cookies in my browser, my site stops working, I am using $_SESSION variables alot, but no actual cookies. When I say my site stops working, things like not being able to log in, not sticky forms. Is there anyway to ensure my site will keep working with cookies turned off?

Cheers
Luke

to post a comment
PHP

4 Comments(s)

Copy linkTweet thisAlerts:
@SrWebDeveloperDec 15.2009 — Run phpinfo() or examine php.ini and check your sessions settings, most notably these two:

session.save_path (default is blank, otherwise set a /path/ PHP can write to, don't use /tmp on Linux so sessions can't be hijacked)

session.use_only_cookies (default is 1 since PHP 5.3.0, specifies whether the module will [I]only[/I] use cookies to store the session id on the client side - change to 0 in your situation)

Edit your php.ini accordingly - remember to restart your web server if you run PHP as a module, after any changes. If this does not solve your problem, need relevant session code.

-jim
Copy linkTweet thisAlerts:
@lukazauthorDec 15.2009 — Hi Jim

Thanks for the quick reply, I can't change the server configiration right now, but i tried ini_set('session.use-only-cookies', 0); in my config file, should that work? or is that just me being hopeful? At the moment its not working so if its ment to work then I guess i need to dig into my code, but if im just being hopeful I will have to get the server config changed.

Cheers

Luke

EDIT: [I]after doing some more googleing it looks like the issue might be that session_id cannot be parsed without cookies present(or using SID in the url?). Is there anyway to get around this with php or do I need to tell the user to activate cookies to use the site?[/I]
Copy linkTweet thisAlerts:
@SrWebDeveloperDec 15.2009 — All those session configuration options I listed can be changed at runtime in your script. FYI, the help page I linked say each is changeable type "PHP_INI_ALL" which in PHP means "entry can be set anywhere".

Anyway, you can still use phpinfo() to see the current session configuration settings and make adjustments. Just remember if you do something like set the session path yourself, use proper permissions on that folder.

As to cookies, you don't "need" them to pass a session ID. You can pass it as an argument on every URL and retrieve it via $_GET. There are other topics on this forum about session ID anti-hijacking security procedures to follow if you're smart, i.e. when to reset the ID, use a hash, store the ID on the server in either database or flat file, expire it properly and so on. PHP and session security is well documented on here and the Internet.

-jim
Copy linkTweet thisAlerts:
@lukazauthorDec 15.2009 — Thanks Jim,

I will keep digging through the forum for relevant topics ?

Luke
×

Success!

Help @lukaz spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...