In earlier part,
we had many questions, One of them is
1) Is it only possible through cookies, if not then what and how?
By Default “Yes”, but we have other approaches as well.
The only required thing is, to pass the session id back to the server with each request that is made from browser to server to maintain the session between requests.
That can be passed by
By Using HTTP Action
- By setting get parameter in URL like, http://localhost/test.php?PHPSESSID=ikf5jmfd1r84pd4c181ov5jdd2
- Pros :
- Easy to implement
- Have Native support in PHP that is disabled By Default
- Works if the client does not support cookies
- Cons :
- Not Good from the aspect of Security as session id is open in URL, it can be shared by the user without knowing much about this. Although implementation can be done to make it secure, Not advisable until required.
- URLs are not clean
- Pros :
- by sending it along with data using post request, but in that case, each request made to the server must be a post request
- This is just an alternative way of GET Action, have the same pros and cons. It needs an implementation
By Header
we can set the custom parameter in the request header of a request.
- Pros: No dependency on URL and we will have clean URL
- Cons: Can be set only in XMLHttpRequest, it means, the request is created by you, not by the behavior of Browser. So it may be useful where SOA(service-oriented architecture) is used.
Now, I tell you more about the sending session id in GET request as this is the old and has inbuilt support in PHP.
Although support for this is disabled by default, but it can be enabled by changing below parameters in php.ini
session.use_trans_sid = 1
By Default it is zero.
If it is enabled then PHP can parse the SESSION ID from url request get Parameter
So, now question is how will be the url look-alike
Your url would be like
http://localhost/test.php?PHPSESSID=ikf5jmfd1r84pd4c181ov5jdd2
now you may have another question, is that key PHPSESSID is fixed?
No, You can change that by setting in php.ini
session.name = PHPSESSID
Ok, that’s cool.
Now let me test in the browser,
as you test a php page in the browser that is having some anchor tag.
you are checking the source and seeing that there is nothing in href url related to session. ?
So, what the hack?
Actually, Even you set this, PHP will not make the session id based URL for you.
First it will fall for cookie. So first Off this setting in PHP
session.use_only_cookies = 0
To check that
Either you can turnoff the cookie in the browser OR use this flag in php.ini to turn off the support of session cookie.
session.use_cookies = 10
Now you see that it is working.
Some of you face the issue then please check below setting , It should have the value like this. This value means PHP will only convert the HTML anchor tag <a href> value with session id by it self.
url_rewriter.tags = “a=href,area=href,frame=src,input=src,form=fakeentry”
For Sample,
I have a page source like this
<?php
session_start();$_SESSION [‘key1’] = ‘page 1’;
print_r($_SESSION);
?>
<p><a href=”page_2.php”>Page 2</a>
< p><a href=”page_3.php”>Page 3</a>
< p><a href=”page_4.php”>Page 4</a><p><form action=”page_5.php”>
< /form>
after above settings, when it rendered on browser, it source code was
You can check php has already converted the url and form to support session id parameter.
There is no extra code required. You can control which html tags should support to rewrite the url by using url_rewriter.tags
You can play with this yourself and check the behavior.
Notes:
- PHP has support for session id parsing other than cookie but by default that is disabled.
- You can enable that support by altering php.ini
- Both medium Cookie and Action can be supported at same time
- But First, PHP will fallback to Cookie
- Although, PHP has support for ACTION based Session ID , but that is not advisable.
We will cover other question in next part…..
Read Earlier Parts-