sessions in PHP

bookbuyer2000

Is there a way to use sessions in PHP, without having the SID appear in the URL if my visitors choose NOT to use cookies?

I thought I read somewhere there was a way.

Thank you!

bpat1434

You can set session.use_trans_sid to 0 in php.ini. Directly from php5.ini:

; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
; in publically accessible computer.
; - User may access your site with the same session ID
; always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0

This goes without saying that session.use_cookies is enabled.

bookbuyer2000

Thank you for your response. Is there a way to use sessions in PHP, without having the SID appear in the URL if my visitors choose NOT to use cookies?

NogDog

The session ID must be transmitted by the browser to the server. There are basically 3 ways this can happen:

In a cookie
In a URL query string
In a form field (e.g. a hidden field)

As the last option is the only one that meets your criteria of not requiring cookies and not having the SID in the URL, you would then have to make all of your internal links actually be post-method forms, manipulating them with CSS to make them look like links instead of submit buttons, and probably making it impossible for search engines to spider through your site (if that is important to you).

bpat1434

I'm just going to throw this out there, but you could write a "check" that you use on every page to take the session data, and see how old it is. If it's older than XX minutes or something, then it's safe to assume that a new session should be started. But you'd still need the SID in the URL.