Cookies and session variables

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
To find out were session variables are stored I included this
instruction in my program:
echo ini_get("session.save_path");

The reply was /home/7604/data/tmp which is a folder on my server.

I look at /home/7604/data/tmp and it is full of session files for

Even so, if I have cookies blocked for my site
in IE6 or cookies turned off in Mozilla Firefox no session variabes
are stored. I don't think it should be like this. I read somewhere
that 'PHP sessions will work even if the user has cookies disabled."

What am I doing wrong?


Jan Nordgreen

Re: Cookies and session variables

Quoted text here. Click to load it

Yap. That's all normal, just in case you wander. If cookies are
enabled, then
session id will be stored in the cookie, automatically sent on next
request to
to the server, and the PHP script will know which file to open for
reading the
values. However, if you reject cookies, then your browser will not
send anything
to the server and it won't be able to find out which session is yours.

If you don't want to rely on cookies, you can pass SID parameter
(containing what
session_id() returned) as URL argument, which will also be recognized
when session_start() is called. This, however, isn't recommended, due
to security
issues. Someone can see the ID, and if interested, can type if at his
home as SID
in the URL and automatically be logged in. This is not what you want,
so this technique
is generally avoided.

Your duty, as a programmer, is usually only to make sure cookies are
enabled and display
the page(s), or detect that the cookies are disabled, and warn the
user about this saying
"please turn on your cookies, this site is worth shit without
cookies" (no offense intended,
such is mine, too, and it's not a bad thing)

You can check if cookies are enabled by sending a cookie to the
client, and
checking if it still exists in his next request. It's the only way, to
my knowledge.

I hope this helped.

Re: Cookies and session variables



Quoted text here. Click to load it

Check what the chance(!) is that old session files are deleted by the  =

garbage collecor:

session.gc_probability        1
session.gc_divisor        1
session.gc_maxlifetime        1440

Quoted text here. Click to load it


Quoted text here. Click to load it

A browser with cookies turned off, and session settings only allowing  =

cookie based sessions will generate a new session on every request. So  =

yeah, it would be a quickly growing amount of sessionfiles.

Quoted text here. Click to load it

It could work if you allow it.

session.use_cookies        1
session.use_only_cookies    0
session.use_trans_sid        1
url_rewriter.tags        "a=3Dhref,area=3Dhref,frame=3Dsrc,form=3D,fieldset=3D=

Don't be very amazed if all your clientele from google seem to have the =

same sessionid though...
-- =

Rik Wasmus

Re: Cookies and session variables

damezumari wrote:
Quoted text here. Click to load it


How PHP handles session id's is determined by the php.ini file.  You  
have two options: session.use_cookies and session.use_only_cookies.

If session.use_cookies is 1, PHP will attempt to store the session id in  
a cookie.  If it's 0, PHP will pass the session id in the URL.

If session.use_cookies is 1 and the cookies are disabled on the browser,  
then session.use_only_cookies comes into play.  If that is 0, PHP will  
again pass the session id in the browser.  And if it's 1, PHP will just  
not pass the session id at all.

If you're on a shared host, you may be able to override these in your  
.htaccess file.  It all depends on what your host allows.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Site Timeline