What happens if cookies are disabled?

Question

Pretty basic question here. In PHP, if the user\'s browser has cookies disabled, you cannot make use of both server cookies ($_SESSION) AND client cookies (

Answer 1

You can track the user by $_GET.

Imagine that on every-single-page the user visits you pass a ?user_id=XYZ123 then you would have implemented a very similar server-identification. It has obvious disadvantages:

1. if you copy/paste a URL you'll give away your session_id
2. because of 1 session high-jack is even less tech savy

Why do users disable cookies?
Users tend to throw first and third party cookies all in the mix but they come from different breeds.

First party cookies are generally ok. When you visit Facebook it's expected that Facebook keeps a cookie to store your interactions with the server.

What it's not expected is that the advertising company that has adds both on Facebook and on eBay gets your cookie back and checks, ah, so this guy was on eBay looking for xyz so now that he's on Facebook I'm gonna show him up abc to make him buy etc etc...

Answer 2

I think you should read the session reference manual http://www.php.net/manual/en/session.idpassing.php

In short, if your server can't find session_id, he can not restore session. But you can use alternate ways to store session values. Or you can generate session_od base on user's client environment parameters.

Answer 3

Yes, it's true. Both sessions and normal cookies are normal cookies. If a user does not accept cookies, he cannot use any of the functionality enabled by them. Which means pretty much the whole internet would break for that user, which is why in this day and age there's virtually nobody who has cookies disabled entirely.

PHP has a built-in mechanism called transparent session ids, which automagically rewrites all links to contain the session id in a query parameter. I would not suggest using it, since session ids in the URL open up a whole new can of worms.

For user friendliness, I'd recommend you test whether the user has cookies enabled or not (set a cookie, redirect to the next page with a flag in the URL that cookies should be set, see if you get any cookies back) and if not, kindly advise the user to enable them.