3

CLIENT: start_session() creates a cookie (by default): Name: PHPSESSID; Content: 1q2w3e4r5t; Domain: '/'; Expires:...

SERVER: It also creates a file stored in (my case): /var/lib/php/sessions. Call that in there: sess_1q2w3e4r5t. (Absolute path: /var/lib/php/sessions/sess_1q2w3e4r5t)

So we have two physical things that are bonded to the session I just created.

  • What is the point of having both?

  • Can I just store my session in /var/lib/php/sessions regardless of use_only_cookies option?

  • I have a classic example with a $_SESSION['counter'] variable. Meaning that, every time I reload the example.php page, the $_SESSION['counter'] increments (++) by one. So, on the loop of pressing the F5 button, lets say I got 55 as the value of $_SESSION['counter']. Finally I its that cookie but not the /var/lib... file. After that deletion I get a 56 and the loop continues as normal. This just intrigued me and got me with the question. Are session cookies necessary?

  • Is still possible a way in which my site just stores session only in the server and not using cookies?

This is how I deleted the cookie. notice counter value is 69.

Deleting the cookie

Then F5:

are cookies necessary?

1w3j
  • 566
  • 8
  • 24
  • Huh? Without cookies, all your requests will be stateless. – Raj Feb 08 '17 at 04:21
  • But.. like I said, after removing the cookie, `$_SESSION['counter']` still kept the same value... correct me if I'm wrong referring it as a kind of request – 1w3j Feb 08 '17 at 04:23
  • 1
    Are you possibly mixing up the fact that removing a cookie is not the same as deleting a session or a session variable? You'll have to use `unset($_SESSION['counter'])` in PHP to *lose* its value. – Dhruv Saxena Feb 08 '17 at 04:43
  • Well, recently I've read [cookies vs sessions](https://stackoverflow.com/questions/6253633/cookie-vs-session) and [this question](https://stackoverflow.com/questions/13411820/are-cookies-and-sessions-are-depend-on-each-other) . I've realized that one is stored in the server and the other client-side. But, is still possibly a way in which my site just stores session only in the server and not using cookies? – 1w3j Feb 08 '17 at 04:54
  • The cookie that PHP is using for sessions is `PHPSESSID`. `GLOBAL_SESS` must be something you've set somewhere. – Scopey Feb 08 '17 at 20:55

2 Answers2

0

The cookie is there so that the client can tell the server which session file is theirs. The cookie value corresponds to the file that's created on the server.

Without it, the server will just create a new session file for the client, and obviously none of the data from the previous request will be there.

I can only imagine that you are not deleting the cookie properly.

Scopey
  • 6,269
  • 1
  • 22
  • 34
  • I would tokenize the session file to obtain the session ID: `sess_ + 1q2w3e4r5t`. Thus, not needing a cookie. – 1w3j Feb 08 '17 at 04:35
  • So how do you know in two subsequent requests if a client is the same person? You're just talking about things on the server side. The client needs to tell the server which session is theirs. – Scopey Feb 08 '17 at 20:52
0

A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.

  • The point of having both session and cookie is the quote above

In short: without cookies, the client would become a strange visitor

1w3j
  • 566
  • 8
  • 24