Session without cookie and url?

YogSothoth

Hi!

I want to write a login module for my homepage and think I will need session-handling for this. Till now (after some tutorials and manuals) I've found two ways to do this:
1. A cookie storing the Session-ID.
2. Put the Session-ID in the URL (e.g. ...index.php?Session=".SID."...).
I don't like the first way because I want to hold my page clean of any cookies. And I'm a little confused about the second possibility: If someone posts a link containing his Session-ID to a forum everyone who clicks this link will be logged in on his account, or am I wrong? If I'm not, I don't like this way too.
My question: Is there any other way to handle sessions? And if not, which way would you experienced users suggest me?

Thanks for reading
YogSothoth

dalecosp

These are the only two ways that PHP will do the job "automagically", as you've noticed. Unless every page on your site is treated as a form, though, I can't think of any other method of storage, other than the user's brain.

"Cookie free", really? Why?

Say you are a student at a university. They give you a student number. If you don't wear it on a name tag (GET) or put it on a card in your wallet (COOKIE) then someone from the university would have to follow you around and tell other officials your number (POST) or else you'd have to reapply at each stage of the game ("Please input your name and personal information before proceeding...."). That's a world of unecessary coding.

You could maybe try and use remote addresses and a database, but once again, lots of coding, and no guarantee of reliability.

I wonder if there's another thought ... somehow assign scope to a variable, but I'd think that'd would lead to similar issues with "uniqueness." I don't think there's really any way to handle it other then G/C. If there were, I'd think we'd have the option.

But I've been wrong before. :rolleyes:

YogSothoth

Ok, there's no "easy" third way so I think I will use one of the two. The reason why I don't like to use cookies is that I want to make everyone able to see my page (that's why I don't use Java, JavaScript, Flash or anything like that, just pure HTML generated by PHP) even with a text-browser and disabled cookies.
But if you say cookies are more secure than the url-method (I know, you didn't yet 😉 ) or if there are any other advantages of cookies than auto-login I couldn't handle with the url-method I will reconsider this.

Thanks for your quick answer
YogSothoth

dalecosp

Well, you don't have to have protected content, either, right?

Seems to me that asking the end-user to enable cookies in order to see your protected material is a fair enough trade.

FWIW, lynx (a widely used text only browser) handles cookies quite well.

YogSothoth

You convinced me! Nevertheless I won't be able to continue my page before monday, so if someone has another idea please post it. Elsewhen I will make myself familiar with cookies and use them.

Thx
YogSothoth

dalecosp

PHP handles the cookies automagically, as long as its set to do so in php.ini......

So you don't have to learn anything but session terms and functions. 🙂