74

I'm playing around with cookies. And I dont have any cookies called PHPSESSID.

Do i need it? Can i remove it?

Whats the "function" of it?

if (count($_POST)) {

setcookie("TestCookie", htmlspecialchars($_POST['val']), time()+3600);
}

print_r($_COOKIE);

Prints:

Array
(
    [TestCookie] => blabla
    [PHPSESSID] => el4ukv0kqbvoirg7nkp4dncpk3
)
  • 3
    It's just the default identifier that PHP uses for cookies which are generated by `session_start()`. If you want to change that name, use `ini_set('session_name', 'somethingElse')` – caw Jul 13 '16 at 00:02
  • 1
    NO it is ini_set('session.name', 'somethingElse'); (notice the dot) and you must use it BEFORE session_start(); on EVERY php page. (not just the login page) – Tarik Dec 03 '16 at 07:44
  • OR use session_name('somethingElse'); (on every page before session_start() or session_register() are called) – Tarik Dec 03 '16 at 07:51

7 Answers7

71

PHP uses one of two methods to keep track of sessions. If cookies are enabled, like in your case, it uses them.

If cookies are disabled, it uses the URL. Although this can be done securely, it's harder and it often, well, isn't. See, e.g., session fixation.

Search for it, you will get lots of SEO advice. The conventional wisdom is that you should use the cookies, but php will keep track of the session either way.

Stypox
  • 963
  • 11
  • 18
DigitalRoss
  • 143,651
  • 25
  • 248
  • 329
  • 371
    I Googled it. This is where Google led me. – Dustin Graham Nov 05 '13 at 23:21
  • 8
    Don't use the URL for session IDs! It's unsafe. – Mark E. Haase Jan 09 '14 at 19:57
  • 1
    @mehaase appart from ugly urls I don't think it is much less secure than cookies. On the one hand I don't think someone looking from behind you back will remember whole SESSION ID, on the other hand cookies aren't harder to read by anyone sniffing on your connection or having access to your pc. – Pax0r Jan 08 '16 at 10:03
  • 29
    @Pax0r Alice wants to share something, so she copies the URL and sends it to Bob. Bob clicks link. Bob is now logged in as Alice. A URL is supposed to represent a *resource*, not a *state*. Embedding state in a URL is always going to be a bad idea. Cookies were introduced specifically to enable statefulness within a stateless protocol. – Mark E. Haase Jan 08 '16 at 14:39
  • 1
    @mehaase ok I see your point with sharing links. I just wanted to emphasize that cookies aren't secure either. – Pax0r Jan 08 '16 at 15:02
30

PHPSESSID reveals you are using PHP. If you don't want this you can easily change the name using the session.name in your php.ini file or using the session_name() function.

Red
  • 6,599
  • 9
  • 43
  • 85
Brad Kent
  • 4,982
  • 3
  • 22
  • 26
  • 37
    Over [80%](http://w3techs.com/technologies/history_overview/programming_language) of the web uses PHP, this information is useless. No one can find server's flaws based on just this information. – Kalzem Nov 01 '14 at 12:12
  • 35
    It's still a way of identifying the technology that the server is currently running, which you may or may not want to reveal. – James Spittal Apr 08 '15 at 03:14
  • 2
    There are better ways to identify technology. For example such header: `X-Powered-By: PHP/7.2.15-0ubuntu0.18.04.1` – German Lashevich Mar 23 '19 at 12:34
  • 3
    @GermanLashevich php ini: `expose_php = off` disables the X-Powered-By header... alternatively `header_remove("X-Powered-By");` or `header('X-Powered-By: Gerbils');` to make it whatever you want – Brad Kent Apr 29 '19 at 16:56
  • @BradKent sure, I didn't say that exposing this data is unavoidable. I was just pointing out that there are more things to care about in the context of security. – German Lashevich Apr 29 '19 at 20:41
5

It's the identifier for your current session in PHP. If you delete it, you won't be able to access/make use of session variables. I'd suggest you keep it.

Noon Silk
  • 54,084
  • 6
  • 88
  • 105
  • how do you get the session variables with it? –  Apr 13 '21 at 00:40
  • i've been trying to understand how to access the session values with phpsessid for so long but i just can not find it anywhere. not sure if im thinking about it right –  Apr 13 '21 at 00:59
2

Check php.ini for auto session id.

If you enable it, you will have PHPSESSID in your cookies.

Roman Losev
  • 1,911
  • 19
  • 26
2

PHPSESSID is an auto generated session cookie by the server which contains a random long number which is given out by the server itself

Niranjan Bhosale
  • 21
  • 2
0

Using cookies in PHPv7.4 and Microsoft Edge browser, PHPSESSID only seems to be generated when first loading/initializing a web app. If I remove the cookie the browser setting (but keep the web application tab open), it kills the session and forces me to login again. However when I log back into the web application the PHPSESSID cookie does not regenerate and yet I still have my session variables working as expected.

I was testing this because I have a web app that loads an external form (from another site) within an iframe and when the form submits and redirects back to my web app (within the iframe) it loses the session within the iframe. Removing the PHPSESSID cookie fixed the problem of losing the session, but I'm not sure why the cookie is the problem (but that is for another thread).

w. Patrick Gale
  • 1,643
  • 13
  • 22
-1

That's because you were loading an insecure web app (likely HTTP) or even have some malware that wanted you to log back in after stealing your cookie. That way it could generate a new one to capture

bikehack
  • 1
  • Hi, and welcome. Please take the [tour](https://stackoverflow.com/tour), to better understand community rules – pierpy Apr 21 '23 at 10:55