Discussion of Coding

Blog coding and discussion of coding about JavaScript, PHP, CGI, general web building etc.

Wednesday, February 10, 2016

PHP Sessions with disabled cookies, does it work?

Author:  |   |  No comments | 

PHP Sessions with disabled cookies, does it work?


Today I had skype interview for a job as PHP developer, one of the questions asked was about Cookies and PHP Sessions.

The question was, can PHP session be set and read, used, if Cookies are disabled in users Browser?

I told them not, beacuse PHP Sessions by default depends on setting a session cookie. When PHP session starts, new session Cookie is set with default name PHPSESSID, and that cookie holds value of that session id, for example: ftu63d8al491s5gatuobj39gk7 Then on apache server in tmp folder file sess_ftu63d8al491s5gatuobj39gk7 is created and it holds content of that session, for example: test1|s:12:"SessionTest1";test2|s:12:"SessionTest2";

They told me that's not true, and that you can use PHP Sessions even if user disables cookies in his browser.

Then I told them that you can do that, but then session id would be passed through URL as GET variable. And that's not secure and you must set it up in php.ini.

They were talking how you can use PHP Sessions even if Cookies are disabled in browser. And what if we are building web shop, and some granny uses our web shop and disables cookies and she joust don't care. And that PHP Sessions are great because you can use them even if user disables Cookies. I was like wtf, wtf wtf?!?!

I made test with two files, index.php starts session and sets session variables. And then session.php tries to read that session variables.

This is how it looks:

index.php

This is where I start and set php sessions.
        
This is a link, that starts new HTTP Request, and tries to read session set on this page:
  
Read Session

session.php

    
Back

Now, if you enable cookies in your browser, visit index.php, and the visit session.php , session would be printed out.

But, if you clear your browser history and cookies, and then visit index.php, and then visit session.php, you would see empty array right?

So basically my question is, am I right? Can you use PHP sessions if you disable cookies in your browser? And do PHP Session mechanism by default, depends on setting a session COOKIE?

Update: I was going mad about this, so I called back the guy I was talking with. And asked him, can PHP session work without cookies by default? The guy said "yes". Then I told him he is wrong and he said: "yes, yes, if you say so..." and start laughing. Then I told him, ok if PHP session can work without setting cookie, how would server know current user/browser session id, if its not stored in a session cookie? (I wanted to see if he knows that session id can be passed as GET variable) And he was quiet for at least 20s, and told me that he is a System Administrator, and that I should ask that the Developer guy. And that he is 43 years old and has huge experience of 13 years in the bussines (he started with 30? wtf?), but he trusts me on this one. And I explained him how Session work and that you can use it without Cookie but then session id is passed as GET variable, and told him I told them that on interview, but they ware telling me no, no no... :S

So basically, the guy didn't have a clue about PHP and PHP Sessions, and yes he was the one that asked me about sessions telling me that PHP Session can work without cookie, even when I told him it cant be done, and that there is a way to use PHP Sessions without cookies but it won't work by default. He was like, no no no... At the end he told me that he was thinking that sessions can work without cookies because he, as System Admin on his servers, can never see sessions in tmp folder?!?!?

Anyway, those guys suck at PHP, there is no way I will accept job offer from them, and after all this I dont think they will offer me a job anyway...

Thanks for all the comments!

Answer by Dagon for PHP Sessions with disabled cookies, does it work?


"A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. "

Sessions: Introduction

Answer by lserni for PHP Sessions with disabled cookies, does it work?


So basically my question is, am I right?

Mostly. In the real world: YES.

Can you use PHP sessions if you disable cookies in your browser?

You CAN use PHP sessions without cookies, as long as the browser identity is obtained somehow and yields a unique value (and this value is passed to the PHP session layer):

  • session ID in GET (which is the "standard" PHP way if cookies are not allowed, and the "other" way you described). This value is then propagated automatically by PHP, e.g. added to all A HREF's and so on. Where it is not propagated because the automagical link recognition failed (e.g. complex URL built in Javascript), it is your responsibility to provide accordingly.

Or - and here we're not in Kansas anymore:

  • passed among the nonces with Auth Digest (this is a dirty trick, and of course requires that the whole site is behind an Auth-Digest access authentication scheme. And you can no longer use a "dummy auth" (i.e. http://welcome:guest@www.example.com ) because some browsers, e.g. Internet Explorer, do not support them anymore for security reasons)
  • recognizing the browser some other way ("fingerprinting") (this is normally(1) suicidal)
  • Use LSO (Local Shared Objects) to generate a random UUID if it's not there already, and store it so that it can be retrieved on subsequent accesses.
  • other ways ( see http://en.wikipedia.org/wiki/Evercookie )

(1) if you were in a LAN where you can trust the IPs, you could associate a "session" to the user IP. You might enforce a strict "no cookies" policy in a small firm and still have user sessions without resorting to _GET/_POST for your session ID.

Answer by Ranjan for PHP Sessions with disabled cookies, does it work?


If session.use_cookies = 1 (Cookie enabled.)

If session.use_cookies = 0 (Cookie disabled.)

If session.use_cookies = 1 then session stores the sessionId into cookie. Calling sessionId() get the stored sessionId from cookie and saved data into session array will be found on all the pages. If session.use_cookies = 0 In this case session does not store sessionId into cookie and you will get each time a new sessionId using session_id() and data stored into session on other pages will not be found on another pages.

Answer by Pankaj Chauhan for PHP Sessions with disabled cookies, does it work?


Yes session will work when cookies is disabled. But first apache check php configuration settings. Like: 

   --enable-trans-sid  and     --enable-track-vars

if these value are set true the session will passed by POST automatically.

If "--enable-trans-sid" and "--enable-track-vars" values are set to FALSE, we need to pass session id by using the SID constant.

< a href="index.php?" >Navigate from here< /a >

Need to set php.ini

ini_set("session.use_cookies", 0);  ini_set("session.use_trans_sid", 1);

Answer by phpsmart.info for PHP Sessions with disabled cookies, does it work?


My answer is that it will not work.

The PHP sessions need cookie to operate.

By standard and basic configurations, browser are to set cookie being enable instead of disabled. Generally web server create PHP session and stored it in the cookie (client side). When session is being called to the server, it will be pass via POST method.

Disabling cookie can cause the POST method to render failed. Thus alternatively GET method is being used as a fallback.

Regarding security issues, it may need another topic question. GET method may seems to be insecure but it can be fixed by several ways.


Fatal error: Call to a member function getElementsByTagName() on a non-object in D:\XAMPP INSTALLASTION\xampp\htdocs\endunpratama9i\www-stackoverflow-info-proses.php on line 72

0 comments:

Post a Comment

Popular Posts

Powered by Blogger.