Can sessions work without cookies? If so, how does a session work without cookies enabled in PHP?

Question

I am searching for main difference b/w session and cookies and when to use session and cookies.Please clarify.Thanks

Answer 1

As another user linked to, yes they can, there are config options for php to not use cookies and instead rely on passing the session id as part of the url. You can either do this manually, or ask PHP to do it. If PHP is set to automatically add the ID, then it uses output buffering to replace any urls it detects in your output, it does this by default on certain tags (a, form etc.)

See options here: http://php.net/manual/en/session.configuration.php

session.use_cookies boolean session.use_cookies specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled).

session.use_trans_sid boolean session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).

session.trans_sid_tags string session.trans_sid_tags specifies which HTML tags are rewritten to include session id when transparent sid support is enabled. Defaults to a=href,area=href,frame=src,input=src,form= form is special tag. is added as form variable.

Also heed its warnings:

Note: URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example. Since PHP 7.1.0, full URL path, e.g. https://php.net/, is handled by trans sid feature. Previous PHP handled relative URL path only. Rewrite target hosts are defined by session.trans_sid_hosts.

Cookies and Sessions

Generally sessions do use cookies. You asked for the difference between sessions and cookies; although not really comparable here is some info on them both:

Cookies

Cookies are a method of storing simple key/value pairs locally within the browsers storage, then can persist between browser restarts, but the user can wipe them. Cookies can not total more than 4KB (see What is the maximum size of a web browser's cookie's key?)

From the docs: http://php.net/manual/en/function.setcookie.php

$value = 'something from somewhere';

setcookie("TestCookie", $value);
setcookie("TestCookie", $value, time()+3600);  /* expire in 1 hour */
setcookie("TestCookie", $value, time()+3600, "/~rasmus/", "example.com", 1);

// Print an individual cookie
echo $_COOKIE["TestCookie"];

Sessions

When you call session_start() php checks the cookies to see if it has already set a 'session id', and if not sets one. It then uses this to identify the user/session, and allows you to temporarily save data on the server attributed to this id. each time you call session_start it will populate $_SESSION, and at the end of each script it will save this. This does mean that pages cannot load simultaneously if they both use sessions. some good examples of sessions can be seen here: https://www.w3schools.com/php/php_sessions.asp

Sessions don't have a limit as such, but are limited by other factors (see Maximum size of a PHP session)

Summary

• Sessions generally use cookies
• Cookie Data is stored locally, Session Data is stored on server
• Cookie Data size limit is relatively small (4K), Session Data is only limited by other things.
• Cookie Data is just simple key/value pairs, Session data can also be arrays, objects