0

I read some article and after that I understand that session will work in php if cookies are not enable on client system. So if cookies are not enable on client system then server will create a unique session id for the user and server will reconize the client by using this unique id. Now if cookies are not enabled the session id will be shown in the url and if there is any form on the page then input type hidden will be cretad with name of PHPSESSID. But if i will make the changes in php.ini then session id will not visible in url .Now suppose I open a page on my website which doesn't have any form and because if have made the changes in php.ini so phpsessid will be not visible in url then how I will get the session data on that page. Please explain I have seen the other answer on stackoverflow and no one has consider this situation

Akhilesh Jha
  • 23
  • 3
  • 9

2 Answers2

1

I would look into the following two links:

It is still possible, but it is not recommended. As soon as the user closes the browser, their session is lost, and they have to log in again.

Community
  • 1
  • 1
  • Their session will be lost anyway as session cookies are flushed when the browser is closed. Only standard (non-session) cookies live longer. – Boris Schegolev Aug 31 '16 at 15:41
  • I already go through the above link but I didn't understand that how I will get session on a page when cookies and getting data from url both are disable – Akhilesh Jha Aug 31 '16 at 15:42
  • @BorisShchegolev But how it will work when user has not closed their browser – Akhilesh Jha Aug 31 '16 at 15:45
  • Why can't you get data from the url? Is it a host problem? –  Aug 31 '16 at 15:46
  • @Ricky prob privacy or security concerns about showing sessions in the URL – BeetleJuice Aug 31 '16 at 15:47
  • @Ricky No I just want to understand that if cookies and getting session id from url both are disable the how session will reach on that page – Akhilesh Jha Aug 31 '16 at 15:48
  • Why would you want to understand that? –  Aug 31 '16 at 15:48
  • @Ricky I want to understand that how session will reach on some page if session id is not coming from url and cookies has already disabled on user computer – Akhilesh Jha Aug 31 '16 at 15:50
  • You could probably then use POST statements but that would require you to embed the variables into every link they go to via the website. –  Aug 31 '16 at 15:52
  • @Ricky You mean if both are disable then session will not reach on website page – Akhilesh Jha Aug 31 '16 at 15:53
  • I don't see any scenario where this would be a problem. –  Aug 31 '16 at 15:56
  • @Ricky I am not saying that this will create any problem if someone will ask you this question then what will be your answer about this – Akhilesh Jha Aug 31 '16 at 15:59
0

OK, let's say you have a client that does not accept cookies, at all. And your webserver has URL SESSIONID forwarding disabled. You are asking what will happen?

Absolutely nothing will happen. The server will issue a cookie, client will deny it. User will not be logged in, even if he provided the correct password. I mean he will log in successfully, but at the next request he will be asked to log in again.

If you want to avoid such a situation you can design your authentication differently. For example you can use OAUTH or any other token-based authentication. Then the server will send the token(s) without using the Cookie header, client-side JavaScript will store it (i.e. in the Web Storage) and send it back to the server with every request. This approach works well with AJAX-based applications.

Boris Schegolev
  • 3,601
  • 5
  • 21
  • 34