11

there is one possible status for session_status called PHP_SESSION_DISABLED .

is there any specific function that can disable sessions in php??

Parsa Mir Hassannia
  • 351
  • 2
  • 6
  • 17

2 Answers2

7

Remark: I updated this answer several times by adding more information and striking out previous sentences that I discovered as being erroneous. On the last edit I reformulated it completely, removed the wrong sentences and references to PHP source code.

The documentation of the Sessions extension reads:

Session support is enabled in PHP by default. If you would not like to build your PHP with session support, you should specify the --disable-session option to configure.

Calling session_status() or any other session function on a PHP compiled with --disable-session triggers a PHP Fatal Error that stops the script because the function does not exist:

$ php -m | grep session
$ php -r 'session_start();'
PHP Fatal error:  Call to undefined function session_start() in Command line code on line 1

The documentation also says:

The Windows version of PHP has built-in support for this extension. You do not need to load any additional extensions in order to use these functions.

This probably means there is no way to remove the sessions functionality from PHP on Windows.

How to disable the sessions without recompiling PHP

You can disable the session functions by setting empty or invalid values for session.save_handler or session.serialize_handler in php.ini.

For testing you can set session.save_handler, for example, in the command line using the -d option; it overrides the value read from php.ini:

$ php -d session.save_handler=foo -r 'session_start(); var_dump(session_status() == PHP_SESSION_DISABLED);'
PHP Warning:  session_start(): Cannot find save handler 'foo' - session startup failed in Command line code on line 1
PHP Stack trace:
PHP   1. {main}() Command line code:0
PHP   2. session_start() Command line code:1
bool(true)

As you can see session_start() triggers a warning complaining about the handler not being valid and the session status is disabled (it cannot start).

The sessions cannot be disabled from the PHP code

If you try to set an invalid value to session.save_handler at runtime, ini_set() triggers a warning and doesn't change the value.

$ php -r 'ini_set("session.save_handler", "foo"); session_start(); var_dump(session_status() == PHP_SESSION_ACTIVE);'
PHP Warning:  ini_set(): Cannot find save handler 'foo' in Command line code on line 1
PHP Stack trace:
PHP   1. {main}() Command line code:0
PHP   2. ini_set() Command line code:1
bool(true)

The session is active. It started successfully.

But they can be re-enabled from the PHP code if they were disabled from settings

However, even if the handler is set as invalid in php.ini or in the command line, the PHP code can fix it before it calls session_start():

$ php -d session.save_handler=foo -r 'ini_set("session.save_handler", "files"); session_start(); var_dump(session_status() == PHP_SESSION_ACTIVE);'
bool(true)

Again, session_start() succeeded, the session is active.

Conclusion

You can disable the session functions by setting empty or invalid value for session.save_handler or session.serialize_handler in php.ini.

Please note that if any of these values is invalid, session_start() triggers a PHP Warning.

However, because both these settings can be modified from everywhere (PHP_INI_ALL means php.ini, httpd.conf, .htaccess, PHP code), they can be, as well, set back to valid values from the PHP code, cancelling this way any effort to disable sessions.

Apparently there is no way to enforce disabling the session, apart from compiling PHP without session support, as explained above.

axiac
  • 68,258
  • 9
  • 99
  • 134
  • 1
    Just wondering, if we call `session_start()` to initiate sessions, wouldn't it be logical to say that if we omitted this then it would disable sessions. Also, what about `a2dismod session`? – Craig van Tonder Sep 02 '15 at 21:37
  • 2
    @IndigoIdentity nope. If you call `session_status()` before `session_start()` or after `session_destroy()` it returns `PHP_SESSION_NONE` (`==1`). Between them, `session_status()` returns `PHP_SESSION_ACTIVE` (`==2`). If [`session.auto_start`](http://php.net/manual/en/session.configuration.php#ini.session.auto-start) is `1` then `PHP` calls `session_start()` during the initialization, you don't need to call it again. And while you can start and destroy the session it means it is not disabled. – axiac Sep 02 '15 at 22:00
  • Thank you for making me smarter :) – Craig van Tonder Sep 02 '15 at 22:04
  • @axiac: I don't know why PHP set SESSION_DISABLED for one of the possible status and also there is no example for this status in php documentation ! – Parsa Mir Hassannia Sep 02 '15 at 22:15
  • @Parsamhn I don't know either. It seems [this SO question](http://stackoverflow.com/q/3788369/4265352) is the reason the function exists. – axiac Sep 02 '15 at 22:53
  • @axiac Yes the reason the session_status function exists is in your link , Thank you , but about your update #2 , I think you should replace session_serialize_handler with session.serialize_handler , anyway both of them doesn't work , the session.serialize_handler or session.save_handler doesn't accept empty value , it shows an error : Warning: ini_set(): Cannot find save handler '' – Parsa Mir Hassannia Sep 03 '15 at 08:36
  • @Parsamhn it was a typo, I corrected it. I also added a remark about `session_start()` triggering a warning when one of the mentioned handlers is empty or invalid. However, a warning doesn't stop the script and it can be suppressed by putting [`@`](http://php.net/manual/en/language.operators.errorcontrol.php) in front of the statement that generates it. It's bad practice to do it but in this case it's the only way to get the desired outcome. – axiac Sep 03 '15 at 10:05
  • @axiac , I know but it doesn't work at all whether with @ or not , I used this code : @ini_set('session.save_handler',''); then I used var_dump(Session_status()== PHP_SESSION_DISABLED); the output was : bool(false) , but it must be bool(true). – Parsa Mir Hassannia Sep 03 '15 at 10:13
  • @Parsamhn I tested your code and discovered that you cannot disable the sessions on runtime. `ini_set()` does not change the value of `session.save_handler` if the provided value is invalid. I refactored the answer completely. – axiac Sep 03 '15 at 11:09
  • @axiac Thanks a lot , I understood , I test them in CMD , they works , but still I don't understand if the php re-enable the sessions what is the usage of PHP_SESSION_DISABLE ?? – Parsa Mir Hassannia Sep 03 '15 at 12:09
  • Rather than using empty or invalid values, the proper value to use to for `session.save_handler` is `non-existent` . – Octopus Sep 03 '15 at 17:05
  • @Octopus what makes it "the proper value"? There is no reference to this value in the source code. It is used in several tests as a placeholder. Have you tried it instead of "foo" in the code samples I posted? PHP says: "PHP Warning: session_start(): Cannot find save handler 'non-existent' - session startup failed in Command line code on line 1". – axiac Sep 03 '15 at 19:03
4

Upon consulting the PHP source there is the following file at ext/session/tests/session_status_disabled.phpt: 

--TEST--
Test session_status() function : disabled
--SKIPIF--
<?php include('skipif.inc'); ?>
--INI--
session.save_handler=non-existent
--FILE--
<?php

echo "*** Testing session_status() : disabled\n";

var_dump(session_status() == PHP_SESSION_DISABLED);

?>
--EXPECTF--
*** Testing session_status() : disabled
bool(true)

So, when there is no save_handler for the session, then session_status() will return PHP_SESSION_DISABLED.

Conclusion:

Disable sessions by doing the following:

Modify this line in the php.ini file:

session.save_handler=non-existent

If you are running a web server it may have its own config file which overrides the ini file. For me, in Apache, I had to comment out the following lines in /etc/httpd/conf.d/php.conf:

#php_value session.save_handler "files"
#php_value session.save_path    "/var/lib/php/session"

Or alternatively set the values there instead.

Octopus
  • 8,075
  • 5
  • 46
  • 66
  • My PHP folder doesn't have session folder , but I used ini_set function to change session.save_handler values with an empty value , But I faced an error : Warning: ini_set(): Cannot find save handler '' , it doesn't accept empty value – Parsa Mir Hassannia Sep 03 '15 at 08:44
  • Find your php.ini file and change the line that sets the `session.save_handler` to `non-existent`. It's default value is `files`. When I did that the test php file succeeded. The ini_set command won't work in this case. I'm not sure why, but maybe because the session object has already been initiated by the time it runs any of your code. – Octopus Sep 03 '15 at 16:29
  • as Axiac said : php will re-enable the session even you set an empty or invalid value for session.save_handler. – Parsa Mir Hassannia Sep 03 '15 at 16:35
  • No, not an empty value. You need to set it to "non-existent" – Octopus Sep 03 '15 at 16:36
  • Worked for me. Are you sure you're setting it in the right ini file? – Octopus Sep 03 '15 at 16:41
  • Yes I'm sure , I set non-existent to session.save_handler in C:/PHP/php.ini . – Parsa Mir Hassannia Sep 03 '15 at 16:44
  • If you are using a web server it may have its own overrides that changes the value of `session.save_handler`. I added a section to the end of my answer. – Octopus Sep 03 '15 at 17:02
  • Im using apache web server in windows , there isn't 'etc' folder in my apache folder , and also there is no config about php ( php.conf) ! – Parsa Mir Hassannia Sep 03 '15 at 17:32