发表新帖
发表新帖

PHP Sessions with disabled cookies, does it work?

前端 未结
关注
9 1777
暖寄归人
暖寄归人 2020-11-28 03:58

Today I had skype interview for a job as PHP developer, one of the questions asked was about Cookies and PHP Sessions.

The question was, can PHP session be set and r

相关标签:
9条回答
  • 离开以前
    2020-11-28 04:39

    Yes session will work when cookies is disabled. But first apache check php configuration settings. Like: 

       --enable-trans-sid
and
   --enable-track-vars

    if these value are set true the session will passed by POST automatically.

    If "--enable-trans-sid" and "--enable-track-vars" values are set to FALSE, we need to pass session id by using the SID constant.

    < a href="index.php?<?= SID ?>" >Navigate from here< /a >

    Need to set php.ini

    ini_set("session.use_cookies", 0);
ini_set("session.use_trans_sid", 1);
    0 讨论(0)
  • 再見小時候
    2020-11-28 04:39

    You will need to put the session ID in the URL. You will need to make a change in your php.ini file so if you are on a shared host you will need to contact them to see what they will do for you.

    0 讨论(0)
  • 我在风中等你
    2020-11-28 04:40

    So basically my question is, am I right?

    Mostly. In the real world: YES.

    Can you use PHP sessions if you disable cookies in your browser?

    You CAN use PHP sessions without cookies, as long as the browser identity is obtained somehow and yields a unique value (and this value is passed to the PHP session layer):

    • session ID in GET (which is the "standard" PHP way if cookies are not allowed, and the "other" way you described). This value is then propagated automatically by PHP, e.g. added to all A HREF's and so on. Where it is not propagated because the automagical link recognition failed (e.g. complex URL built in Javascript), it is your responsibility to provide accordingly.

    Or - and here we're not in Kansas anymore:

    • passed among the nonces with Auth Digest (this is a dirty trick, and of course requires that the whole site is behind an Auth-Digest access authentication scheme. And you can no longer use a "dummy auth" (i.e. http://welcome:guest@www.example.com ) because some browsers, e.g. Internet Explorer, do not support them anymore for security reasons)
    • recognizing the browser some other way ("fingerprinting") (this is normally(1) suicidal)
    • Use LSO (Local Shared Objects) to generate a random UUID if it's not there already, and store it so that it can be retrieved on subsequent accesses.
    • other ways ( see http://en.wikipedia.org/wiki/Evercookie )

    (1) if you were in a LAN where you can trust the IPs, you could associate a "session" to the user IP. You might enforce a strict "no cookies" policy in a small firm and still have user sessions without resorting to _GET/_POST for your session ID.

    0 讨论(0)
 看不清?
提交回复
热议问题