How to disable PHP session cookie?

Question

I am writing PHP code where I want to pass the session id myself using POST. I don\'t want a cookie to store the session, as it should get lost when the user gets out of the

Answer 1

Use ini_set():

ini_set('session.use_cookies', '0');

Or in your php.ini file:

session.use_cookies = 0

Answer 2

You can also put that setting in .htaccess so it applies to all scripts, otherwise you need to ensure that code is called on each request.

Eg.

php_value session.use_cookies 0

Answer 3

The way to do it is to setup sessions yourself.

In the central include file that all your other files are including (you do have one of those, right?), you need to do a few things as early as is practical.

if( !array_key_exists('sessionid', $_POST) ) {
    // recreate the sessionid
    $sessionid = md5(rand().' '.microtime()); // Or something
} else {
    $sessionid = $_POST['sessionid'];

session_id($sessionid);
session_start();

Now you have to remember that as soon as you start the form, you need to include:

<input type='hidden' name='sessionid'><?= session_id() ?></input>

Answer 4

If you just need to be able to zap a session at a given time, use session_destroy(). If you want to completely end the session, here's a snippet copy/pasted straight out of the documentation:

// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();

Answer 5

I was having trouble with PHP's documented approach to destroying a session w/ cookies.

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

This was resulting in my seeing the cookie set twice:

Set-Cookie: SESSION_NAME=deleted; expires=Sat, 08-Jan-2011 14:09:10 GMT; path=/; secure
Set-Cookie: SESSION_NAME=1_4f09a3871d483; path=/

As documented in the PHP comments, setting the cookie value to something other than empty ('') gets rid of the "deleted" value, but the second cookie set remained.

To get rid of that, I had to add the code suggested above:

ini_set('session.use_cookies', '0');

I haven't looked at the source for sessions handling, but my guess is that setcookie(...) is bypassing the sessions module, so sessions doesn't know I called it. So, it is setting a default cookie after I set up a deleted cookie.

I was testing on a mac: PHP 5.3.6 with Suhosin-Patch (cli) (built: Sep 8 2011 19:34:00)

Answer 6

err its possible to override the default settings of your host by creating your own .htaccess file and here's a great tutorial if you havent touched that yet http://www.askapache.com/htaccess/apache-htaccess.html

or if you're too lazy to learn just create a ".htaccess" file (yes that's the filename) on your sites directory and place the following code

SetEnv session.use_cookies='0';