Sunday, February 13, 2011

How to disable PHP session cookie?

I am writing PHP code where I want to pass the session id myself using POST. I don't want a cookie to store the session, as it should get lost when the user gets out of the POST cycle.

PHP automatically sets the cookie where available. I learned it is possible to change this behaviour by setting session.use_cookies to 0 in php.ini. Unfortunately, I don't have access to that file and I also wouldn't want to break the behaviour of other scripts running on the same server.

Is there a way to disable or void the session cookie inside the PHP script?

EDIT: As the proposed solutions don't work for me, I used $_SESSION = array() at positions in the code where I found the session should be invalidated.

  • Use ini_set():

    ini_set('session.use_cookies', '0');
    
    ypnos : Thank you. that should solve my problem, but unfortunately, instead PHP stops in the middle of script execution now (even in the middle of html output)..
    ypnos : I won't tag this as being the correct answer as it made PHP defunct. Perhaps a PHP bug?
    From yjerem
  • err its possible to override the default settings of your host by creating your own .htaccess file and here's a great tutorial if you havent touched that yet http://www.askapache.com/htaccess/apache-htaccess.html

    or if you're too lazy to learn just create a ".htaccess" file (yes that's the filename) on your sites directory and place the following code

    SetEnv session.use_cookies='0';
    
    ypnos : Thank you, unfortunately it is not Apache but very old Netscape Server..
    lock : oh google is always our friend ^_^ just tell me the name of the server and i'll try to find answers there hehehe
    From lock
  • You can also put that setting in .htaccess so it applies to all scripts, otherwise you need to ensure that code is called on each request.

    Eg.

    php_value session.use_cookies 0

    ypnos : Thank you, unfortunately the site is running Netscape Server! :(
    From DreamWerx
  • The way to do it is to setup sessions yourself.

    In the central include file that all your other files are including (you do have one of those, right?), you need to do a few things as early as is practical.

    if( !array_key_exists('sessionid', $_POST) ) {
        // recreate the sessionid
        $sessionid = md5(rand().' '.microtime()); // Or something
    } else {
        $sessionid = $_POST['sessionid'];
    
    session_id($sessionid);
    session_start();
    

    Now you have to remember that as soon as you start the form, you need to include:

    <input type='hidden' name='sessionid'><?= session_id() ?></input>
    
    From staticsan
  • If you just need to be able to zap a session at a given time, use session_destroy(). If you want to completely end the session, here's a snippet copy/pasted straight out of the documentation:

        <?php
    // Initialize the session.
    // If you are using session_name("something"), don't forget it now!
    session_start();
    
    // Unset all of the session variables.
    $_SESSION = array();
    
    // If it's desired to kill the session, also delete the session cookie.
    // Note: This will destroy the session, and not just the session data!
    if (isset($_COOKIE[session_name()])) {
        setcookie(session_name(), '', time()-42000, '/');
    }
    
    // Finally, destroy the session.
    session_destroy();
    ?>
    

0 comments:

Post a Comment