phpsessioncookies

PHP Sessions with disabled cookies, does it work?


Today I had skype interview for a job as PHP developer, one of the questions asked was about Cookies and PHP Sessions.

The question was, can PHP session be set and read, used, if Cookies are disabled in users Browser?

I told them not, beacuse PHP Sessions by default depends on setting a session cookie. When PHP session starts, new session Cookie is set with default name PHPSESSID, and that cookie holds value of that session id, for example: ftu63d8al491s5gatuobj39gk7 Then on apache server in tmp folder file sess_ftu63d8al491s5gatuobj39gk7 is created and it holds content of that session, for example: test1|s:12:"SessionTest1";test2|s:12:"SessionTest2";

They told me that's not true, and that you can use PHP Sessions even if user disables cookies in his browser.

Then I told them that you can do that, but then session id would be passed through URL as GET variable. And that's not secure and you must set it up in php.ini.

They were talking how you can use PHP Sessions even if Cookies are disabled in browser. And what if we are building web shop, and some granny uses our web shop and disables cookies and she joust don't care. And that PHP Sessions are great because you can use them even if user disables Cookies. I was like wtf, wtf wtf?!?!

I made test with two files, index.php starts session and sets session variables. And then session.php tries to read that session variables.

This is how it looks:

index.php

<p>This is where I start and set php sessions.</p>

<?php

    session_start();
    $_SESSION['test1'] = "SessionTest1";
    $_SESSION['test2'] = "SessionTest2";

?>

<p>This is a link, that starts new HTTP Request, and tries to read session set on this page:</p>
<p><a href="session.php">Read Session</a></p>

session.php

<?php

    session_start();
    var_export($_SESSION);

?>

<p><a href="index.php">Back</a></p>

Now, if you enable cookies in your browser, visit index.php, and the visit session.php , session would be printed out.

But, if you clear your browser history and cookies, and then visit index.php, and then visit session.php, you would see empty array right?

So basically my question is, am I right? Can you use PHP sessions if you disable cookies in your browser? And do PHP Session mechanism by default, depends on setting a session COOKIE?

Update: I was going mad about this, so I called back the guy I was talking with. And asked him, can PHP session work without cookies by default? The guy said "yes". Then I told him he is wrong and he said: "yes, yes, if you say so..." and start laughing. Then I told him, ok if PHP session can work without setting cookie, how would server know current user/browser session id, if its not stored in a session cookie? (I wanted to see if he knows that session id can be passed as GET variable) And he was quiet for at least 20s, and told me that he is a System Administrator, and that I should ask that the Developer guy. And that he is 43 years old and has huge experience of 13 years in the bussines (he started with 30? wtf?), but he trusts me on this one. And I explained him how Session work and that you can use it without Cookie but then session id is passed as GET variable, and told him I told them that on interview, but they ware telling me no, no no... :S

So basically, the guy didn't have a clue about PHP and PHP Sessions, and yes he was the one that asked me about sessions telling me that PHP Session can work without cookie, even when I told him it cant be done, and that there is a way to use PHP Sessions without cookies but it won't work by default. He was like, no no no... At the end he told me that he was thinking that sessions can work without cookies because he, as System Admin on his servers, can never see sessions in tmp folder?!?!?

Anyway, those guys suck at PHP, there is no way I will accept job offer from them, and after all this I dont think they will offer me a job anyway...

Thanks for all the comments!


Solution

  • "A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. "

    Sessions: Introduction