51

Today I had skype interview for a job as PHP developer, one of the questions asked was about Cookies and PHP Sessions.

The question was, can PHP session be set and read, used, if Cookies are disabled in users Browser?

I told them not, beacuse PHP Sessions by default depends on setting a session cookie. When PHP session starts, new session Cookie is set with default name PHPSESSID, and that cookie holds value of that session id, for example: ftu63d8al491s5gatuobj39gk7 Then on apache server in tmp folder file sess_ftu63d8al491s5gatuobj39gk7 is created and it holds content of that session, for example: test1|s:12:"SessionTest1";test2|s:12:"SessionTest2";

They told me that's not true, and that you can use PHP Sessions even if user disables cookies in his browser.

Then I told them that you can do that, but then session id would be passed through URL as GET variable. And that's not secure and you must set it up in php.ini.

They were talking how you can use PHP Sessions even if Cookies are disabled in browser. And what if we are building web shop, and some granny uses our web shop and disables cookies and she joust don't care. And that PHP Sessions are great because you can use them even if user disables Cookies. I was like wtf, wtf wtf?!?!

I made test with two files, index.php starts session and sets session variables. And then session.php tries to read that session variables.

This is how it looks:

index.php

<p>This is where I start and set php sessions.</p>

<?php

    session_start();
    $_SESSION['test1'] = "SessionTest1";
    $_SESSION['test2'] = "SessionTest2";

?>

<p>This is a link, that starts new HTTP Request, and tries to read session set on this page:</p>
<p><a href="session.php">Read Session</a></p>

session.php

<?php

    session_start();
    var_export($_SESSION);

?>

<p><a href="index.php">Back</a></p>

Now, if you enable cookies in your browser, visit index.php, and the visit session.php , session would be printed out.

But, if you clear your browser history and cookies, and then visit index.php, and then visit session.php, you would see empty array right?

So basically my question is, am I right? Can you use PHP sessions if you disable cookies in your browser? And do PHP Session mechanism by default, depends on setting a session COOKIE?

Update: I was going mad about this, so I called back the guy I was talking with. And asked him, can PHP session work without cookies by default? The guy said "yes". Then I told him he is wrong and he said: "yes, yes, if you say so..." and start laughing. Then I told him, ok if PHP session can work without setting cookie, how would server know current user/browser session id, if its not stored in a session cookie? (I wanted to see if he knows that session id can be passed as GET variable) And he was quiet for at least 20s, and told me that he is a System Administrator, and that I should ask that the Developer guy. And that he is 43 years old and has huge experience of 13 years in the bussines (he started with 30? wtf?), but he trusts me on this one. And I explained him how Session work and that you can use it without Cookie but then session id is passed as GET variable, and told him I told them that on interview, but they ware telling me no, no no... :S

So basically, the guy didn't have a clue about PHP and PHP Sessions, and yes he was the one that asked me about sessions telling me that PHP Session can work without cookie, even when I told him it cant be done, and that there is a way to use PHP Sessions without cookies but it won't work by default. He was like, no no no... At the end he told me that he was thinking that sessions can work without cookies because he, as System Admin on his servers, can never see sessions in tmp folder?!?!?

Anyway, those guys suck at PHP, there is no way I will accept job offer from them, and after all this I dont think they will offer me a job anyway...

Thanks for all the comments!

Limeni
  • 4,954
  • 8
  • 31
  • 33
  • 1
    No, it doesn't. How do you store state without cookies? – slugonamission Sep 24 '12 at 20:10
  • No as "no you are not right!", or no as "no you cant set session with disabled cookies"? :D – Limeni Sep 24 '12 at 20:11
  • 4
    you can use sessions with out cookies, the session id then is passed in the url instead of a cookie –  Sep 24 '12 at 20:11
  • and those people never answered to their own question, did they? – Zathrus Writer Sep 24 '12 at 20:12
  • not they told me that you can use Sessions without cookies and thats it. And I did told them that you can use sessions without cookies, but then session id would be set in URL as variable. And that its not secure. I didnt know the right php.ini line, but I did tell them you can use it that way, or you need cookies. I was clear that PHP Sessions by default dont work without cookies. And they said thats wrong :S – Limeni Sep 24 '12 at 20:17
  • Passing the ID in the URL is no less secure than passing it in a cookie. – Alex Howansky Sep 24 '12 at 20:18
  • what security issue to do you see here? i can see the session id in the cookie on my machine as well as the one in the url –  Sep 24 '12 at 20:19
  • 1
    Security issue is if you copy your URL to a friend, then he has your session ID and can act as you. You cant do that with cookie, by accident! – Limeni Sep 24 '12 at 20:21
  • 4
    Risk is no different with a cookie. The person sitting at the computer after you leave has your cookies. – Alex Howansky Sep 24 '12 at 20:23
  • Technically its just a matter of where to save state. Ask any dot net programmers about viewstate in order to hear what happens when you choose to POST state information back and forth (disclaimer: Idk if they still have that on the dark side) – andkrup Sep 19 '14 at 13:11
  • Possible duplicate of [PHP session without cookies](http://stackoverflow.com/questions/3740845/php-session-without-cookies) – Cees Timmerman Dec 06 '16 at 17:43
  • @AlexHowansky , while someone may be able to hijack your session, by sitting down in front of your browser after you, session identifiers can unwittingly be leaked if they are in the url, with something as simple as a copy/paste of an address. – Progrock Apr 09 '18 at 15:32

9 Answers9

27

"A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. "

Sessions: Introduction

9

If session.use_cookies = 1 (Cookie enabled.)

If session.use_cookies = 0 (Cookie disabled.)

If session.use_cookies = 1 then session stores the sessionId into cookie. Calling session_id() get the stored sessionId from cookie and saved data into session array will be found on all the pages. If session.use_cookies = 0 In this case session does not store sessionId into cookie and you will get each time a new sessionId using session_id() and data stored into session on other pages will not be found on another pages.

Ranjan
  • 263
  • 2
  • 11
5

So basically my question is, am I right?

Mostly. In the real world: YES.

Can you use PHP sessions if you disable cookies in your browser?

You CAN use PHP sessions without cookies, as long as the browser identity is obtained somehow and yields a unique value (and this value is passed to the PHP session layer):

  • session ID in GET (which is the "standard" PHP way if cookies are not allowed, and the "other" way you described). This value is then propagated automatically by PHP, e.g. added to all A HREF's and so on. Where it is not propagated because the automagical link recognition failed (e.g. complex URL built in Javascript), it is your responsibility to provide accordingly.

Or - and here we're not in Kansas anymore:

  • passed among the nonces with Auth Digest (this is a dirty trick, and of course requires that the whole site is behind an Auth-Digest access authentication scheme. And you can no longer use a "dummy auth" (i.e. http://welcome:guest@www.example.com ) because some browsers, e.g. Internet Explorer, do not support them anymore for security reasons)
  • recognizing the browser some other way ("fingerprinting") (this is normally(1) suicidal)
  • Use LSO (Local Shared Objects) to generate a random UUID if it's not there already, and store it so that it can be retrieved on subsequent accesses.
  • other ways ( see http://en.wikipedia.org/wiki/Evercookie )

(1) if you were in a LAN where you can trust the IPs, you could associate a "session" to the user IP. You might enforce a strict "no cookies" policy in a small firm and still have user sessions without resorting to _GET/_POST for your session ID.

LSerni
  • 55,617
  • 10
  • 65
  • 107
5

Yes session will work when cookies is disabled. But first apache check php configuration settings. Like: 

   --enable-trans-sid
and
   --enable-track-vars

if these value are set true the session will passed by POST automatically.

If "--enable-trans-sid" and "--enable-track-vars" values are set to FALSE, we need to pass session id by using the SID constant.

< a href="index.php?<?= SID ?>" >Navigate from here< /a >

Need to set php.ini

ini_set("session.use_cookies", 0);
ini_set("session.use_trans_sid", 1);
Pankaj Chauhan
  • 1,623
  • 14
  • 12
  • 1
    i searched --enable-trans-sid and --enable-track-vars but didn't found neither in php.ini nor in http.conf – dev_khan Jul 02 '15 at 12:18
3

You are right, Session cannot work without cookies. To illustrate this try doing the following actions.

  1. Login To Gmail.
  2. After login disabled the cookies.
  3. Refresh the page.

You will be redirected to the login page again as the server cannot identify the session.

  1. Now again enable the cookies.
  2. Refresh the page. (Note: Don't click on login button).
  3. You will be automatically redirected to the Gmail inbox.

Hence, we can say without cookies session will not work.

Also, If you are trying to login into the gmail( taking as example you can take any website) with diabled cookies then it will message as "Your browser has cookies disabled. Make sure your cookies are enabled and try again."

Rohit Ghotkar
  • 803
  • 5
  • 17
  • 1
    you have cookies or not? system couldnt understand your intentions. your example is this. But for the systems like gmail people count on more secure methods. Without cookies session tracking possible and many other methods exists like session.use_cookies = 0 (Cookie disabled.) – nerkn Nov 20 '18 at 19:42
  • You are right, session tracking without cookies is possible if we do some modification in php ini file like **session.use_trans_sid** set to 1. – Rohit Ghotkar Nov 23 '18 at 06:11
0

If it was me, I would say "Yes"

Since you could store session in form / url somewhere to passed to next page (very bad idea). So, based on his question "can PHP session be set and read, used, if Cookies are disabled in users Browser?"

Then, it should be yes. It can read and used.

However, If user close browser, then it's gone, and that's it. (since that guy didn't ask about this part)

Sruit A.Suk
  • 7,073
  • 7
  • 61
  • 71
0

Yes.. It will Work
1.PHP will pass one GET parameter in URL with the name PHPSESSID but it can be changed session.name in php.ini file.
2. It add one hidden input in forms with same name.

Sagar Patil
  • 1
0

You will need to put the session ID in the URL. You will need to make a change in your php.ini file so if you are on a shared host you will need to contact them to see what they will do for you.

amrezzd
  • 1,787
  • 15
  • 38
0

// tell the PHP we want to use cookies from the session

 ini_set('session.use_cookies', '0');
 ini_set('session.use_only_cookies', '0');
 ini_set('session.use_trans_sid','1');
 session_start();

// then pass the session ID in the URL(inspect, navigate the network refresh the page you will see in the headers your session ID)

Mamé
  • 59
  • 5