PHP Tutorials - Herong's Tutorial Examples
Dr. Herong Yang, Version 3.00

Managing Session IDs without Cookies

<< Creating and Managing Sessions in PHP Scripts

<< PHP Tutorials - Herong's Tutorial Examples

This section provides a tutorial example on how to stop storing the session ID as a cookie, and using a URL transparent parameter to store the session ID.

If don't like to use the cookie technology to manage the session ID, you can try to use the URL transparent parameter to manage the session ID. Here is what I did to test the URL transparent parameter.

1. Open and edit the configuration file, \php\php.ini: 

session.use_cookies = 0
session.use_trans_sid = 1

2. Re-run http://localhost/SessionPage1.php, I got: 

I am buying 3 PHP books.

Next

Counter = 1
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5
Session module = files

Contents of $_GET:

Contents of $_POST:

Contents of $_COOKIE:

3. Click "Next" on the first page, the URL address on the browser was changed to: http://localhost/SessionPage2.php?PHPSESSID=mg04r204ctuloo2uegmih14ri5. The browser displayed: 

I am buying 3 PHP books.
The unit price is 9.99 per book.

Next  Prev

Counter = 2
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5

Contents of $_GET:
   PHPSESSID = mg04r204ctuloo2uegmih14ri5

Contents of $_POST:

Contents of $_COOKIE:

4. Click "Next" on the second page, the URL address on the browser was changed to: http://localhost/SessionPage3.php?PHPSESSID=mg04r204ctuloo2uegmih14ri5. The browser displayed: 

I am buying 3 PHP books.
The unit price is 9.99 per book.
The total price is 29.97.

Prev

Counter = 3
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5

Contents of $_GET:
   PHPSESSID = mg04r204ctuloo2uegmih14ri5

Contents of $_POST:

Contents of $_COOKIE:

Output shows that the session concept still worked correctly. But a couple of interesting things happened here:

  • If you ask PHP to use transparent session ID management, it will modify all the links to include the session ID as part of URL addresses. See the source code of the first page in the browser, you should see that the URL of "Next" button was modified as href=SessionPage2.php?PHPSESSID=mg04r204ctuloo2uegmih14ri5.
  • Outputs show that now the session ID is stored in the $_GET array.
  • Since the session ID is stored in the URL field of the browser, everyone can see it. So this is less secure that storing the session ID a cookie.

Last update: 2005.

Sections in This Chapter

What Is a Session?

How Sessions Are Support in PHP?

SessionPage*.php - Session Test Script Pages

Running Session Test Script Pages

Managing Session IDs without Cookies

Where Is Session Data Stored?

Dr. Herong Yang, updated in 2009
Managing Session IDs without Cookies