PHP session without cookies

Is there a way that I can initiate a persistent session in PHP without the placement of a session cookie? Are there other ways of maintaining a session across pages, such as an IP address-based solution?

My reason for asking is, is that although most users have cookies on, I want to see if there's a way for a login system to work for those with it disabled (even though I think disabling cookies is just unnecessary paranoia, personally).

I don't think it's too much to ask your users to enable cookies. I find it silly when people turn them off entirely.

Otherwise, you can set your session.use_only_cookies to "0" to force the appendage of a session ID to URLs within your php. This approach, however, has several draw backs. Mainly that of keeping the state within the URL, as opposed to the Cookie header. If a user were to copy and paste the URL of the page they were on, and someone else were to click on it, they would both be using the same session.

<?php
     ini_set("session.use_cookies", 0);
     ini_set("session.use_only_cookies", 0);
     ini_set("session.use_trans_sid", 1);
     ini_set("session.cache_limiter", "");
     session_start();

You can set the ini-Value of session.use_trans_sid to true in order to activate appending the session id to every URL. Have a look at this.

For security purposes you should then limit the session to the IP that created the session. This is not perfectly secure though, as someone with the same IP (behind a proxy e.g.) could reuse that very same session.

You can work with session IDs in URLs, and disabling cookies with:

ini_set('session.use_cookies', 0);
ini_set('session.use_only_cookies', 0);
ini_set('session.use_trans_sid', 1);
session_start();
// IP check
if($_SESSION['ip_check'] != $_SERVER['REMOTE_ADDR']){
   session_regenerate_id();
   session_destroy();
   session_start();
}
$_SESSION['ip_check'] = $_SERVER['REMOTE_ADDR'];
// session stuff

Note: it's highly discougared to use session IDs in URLs. IP addresses can change when travelling around with a wireless card and proxy servers have the same IP address. It's easily broken when clicking 'an old URL' (with the old session ID).

You may also be interested in creating your own session handling function (in conjuction with a database). You would ignore the session ID, and bind it to the IP address. (see examples in http://php.net/manual/en/function.session-set-save-handler.php)

References:

• http://php.net/manual/en/session.configuration.php

You can save session id per IP in the database:

Create a mysql table with three fields: session_id, ip and unique temp key (for logged users) or any other condition you like. Then turn off session cookies and use_trans_sid.

then make a code to manage session behavior based on this new table!

after session_start() save session_id in the table and later receive it from table (by IP and any other condition) and then call

session_id($in_table_session_id);

for more information and complete guide see: https://gist.github.com/mimrahe/77415f4a9e238c313bbe8c42f8a6b7fe

You could create a database record or temporary file and check $_SERVER vars against the request on every page load. It's a security risk, but with enough variables (have a look at the list here) you may feel you've gotten the chance of hijack down to an acceptable level; only you know how secure your app needs to be.

If I wanted to do that then I would add the session id in the HTML code as a comment tag and use and configure the PHP code to use that session id which is included in the HTML code. I think it will be more relevant to do that instead of doing it with user IP or adding the session id in the URL.

The correct answer on this is NO. Using any combination of variables besides a cookie is insecure.

Think about it: when a user FIRST requests a page, the server is sending the page along with a unique value saying "HTTP is stateless, keep this so I know it's 'you' next time you call". That means, that person, in that browser (regardless of tab), running at that time, has a unique token.

If and only if they've logged in successfully, that token can now be tied to a session on the server side. Tokens are supposed to be so long and random that nobody could guess one in time.

Multiple browsers could be using the same IP address. Multiple people could have the EXACT same user agent. A cookie is the only storage system that works.

There's actually one more way, and that is to add the unique token to every single link back to the server as well as all AJAX calls, like ?PHPSESSID=my-unique-token-189481958 - but that's a pain to code.

You can also login without Cookies only by Session Id and Time, but you have to write them both in your Database direct after Successful Login.

I have in index.php something like this that will always generate a new session id based on time and the old session id if conditions are not verified.

if ($_SESSION['id'] != $row['session'] || time() > $row['sessiontime']) {
    session_destroy();
    session_start();
    session_regenerate_id();
}
    
$_SESSION['id'] = session_id();

I use 2 variables in database for id and time.

And in login window I read the Session id from $_SESSION['id'] variable, then I increment the time and send both to database.