By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,156 Members | 1,069 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,156 IT Pros & Developers. It's quick & easy.

Why Do PHP Cookies and Sessions Work Even When Cookies Are Disabled?

P: 3
I am trying to explain how cookies and sessions work in a class I teach, but I have hit a wall when it comes to the interaction between cookies and the state of the privacy settings in Internet Explorer. I would appreciate any help anyone can offer, please.

First, consider the following very simple JavaScript function:

Expand|Select|Wrap|Line Numbers
  1. function CookiesEnabled() {
  2.   SetCookie( "testcookie", "testcookie" ) ;
  3.   var bCookiesEnabled = 
  4.       ( GetCookie( "testcookie" ) == "testcookie" ) ;
  5.   DeleteCookie( "testcookie" ) ;
  6.   return bCookiesEnabled ;
  7. }
This function indeed returns true or false depending upon the IE privacy settings. When I block cookies, indeed the function returns false.

Now consider two very simple PHP scripts:

Expand|Select|Wrap|Line Numbers
  1. <?php   // BareBonesGetCookie.php
  2.   print "<p>Cookie 'name' is set to: " .
  3.     $_COOKIE['name'] . "</p>" ;
  4. ?>
  5.  
  6. <?php   // BareBonesSetCookie.php
  7.   setcookie( "name", "Jesse" ) ;
  8.   print "<p>Cookie 'name' has been set to: " .
  9.     $_COOKIE['name'] . "</p>" ;
  10. ?>
If I run the first script first, I get a blank result as expected. But if I run the second and then the first, I get "Cookie 'name' is set to: Jesse" regardless of my IE privacy settings. I do not understand this.

Here's the example that is really causing me fits. I have written a very simple PHP 5 script that stores some data in session variables:

Expand|Select|Wrap|Line Numbers
  1. <?php  // Script #1
  2.   session_start() ;
  3.   $_SESSION[ "FirstName" ] = "Robert" ;
  4.   $_SESSION[ "LastName" ] = "Thompson" ;
  5. ?>
I can then retrieve the data with another script:

Expand|Select|Wrap|Line Numbers
  1. <?php  // Script #2
  2.   session_start() ;
  3.   print "<h2>RetrieveSessionVariables.php</h2>" ;
  4.   if ( isset( $_SESSION[ 'FirstName' ] ) ) {
  5.     print "<p><i>First Name:</i>&nbsp; " . 
  6.         $_SESSION[ 'FirstName' ] ;
  7.     print "<br/><i>Last Name:</i>&nbsp; " . 
  8.         $_SESSION[ 'LastName' ] . "</p>" ;
  9.   } else {
  10.     print "<p>The session variables are not set.</p>";
  11.   }
  12. ?>
This all works just fine. However, it works even when cookies are disabled. This is what I cannot understand.

I have read the postings on this and other websites that state that session IDs can be passed in URL parameters, hidden form fields, or cookies. In the case of the simple code above, it seems to me that the only option is cookies. But when I run the above code from my web server (a real server that I must access through the Internet, not just locahost) and push the Internet Explorer privacy settings to their maximum, disabling all cookies, Script #2 still prints the data stored in the session variables.

I have shut down all instances of IE to make sure that the session is closed. I have run Script #2 first and indeed I get the message that the session variables are not set. But if I then run Script #1 followed by Script #2, I see the values in the session variables.

The way I understand that session IDs work with cookies is illustrated in the figure posted at:

http://www.onlamp.com/pub/a/php/exce...ex.html?page=2

This figure and everything I read tells me that cookies must be enabled for sessions to work (assuming that one is not using forms). I am quite sure that I know how to block cookies, as evidenced by the JavaScript code at the top of this posting and the fact that it behaves properly when I change my browser privacy settings.

I would really appreciate it if someone could please explain to me what's going on here, that is, why PHP cookies and sessions seem to work regardless of my browser privacy settings.

Thank you sincerely.

Jesse Heines
Computer Science
UMass Lowell
May 20 '07 #1
Share this Question
Share on Google+
5 Replies


pbmods
Expert 5K+
P: 5,821
Heya, Jesse. Welcome to TSDN!

Internet Explorer has a separate option to accept session cookies regardless of whether it is set to accept cookies in general. Make sure this option is set properly.

Have you tried running your script in Firefox with cookies disabled? This could be an IE-specific thing, or it might be a 'feature' of web browsers....

And that's the point where my educated guesses stop being so educated. Hope this helps!
May 20 '07 #2

P: 3
Thank you for your reply, pbmods.

> Internet Explorer has a separate option to accept
> session cookies regardless of whether it is set to
> accept cookies in general. Make sure this option
> is set properly.

Yes, I am familiar with that (in the Advanced options), and I unchecked "Always allow session cookies" to no avail. I know I had session cookies disabled because I could not log in to my Fidelity account with those settings. (The Fidelity website is about as secure as a website can be and definitely uses some type of session, although I don't thinks it's a PHP site.)

> Have you tried running your script in Firefox with
> cookies disabled? This could be an IE-specific
> thing, or it might be a 'feature' of web browsers....

Ah, that suggestion was excellent. Cookie control is indeed much simpler under Firefox, and when I simply unchecked the "Allow sites to set Cookies" checkbox indeed my code worked as expected. That is, the simple cookie scripts would not store cookies and the simple session scripts would not maintain state across webpages.

My conclusion at this point is that you must be right that this is some IE-specific issue. Perhaps it's just IE6. I have another system with IE7 installed, and I'll try it on that one.

Thanks a million for your reply ... on behalf of my students as well as myself! :)

Jesse

PS: Thanks also for editing my posting to teach me about adding the language to the CODE tag in this software to achieve syntax highlighting. Very cool... :)
May 20 '07 #3

P: 3
In my last posting I wrote:

> Perhaps it's just IE6. I have another system with
> IE7 installed, and I'll try it on that one.

I did, and there blocking cookies correctly prevents PHP sessions from working, just as it does on Firefox.

The Privacy settings dialog box in IE7 is exactly the same as that in IE6, but the results appear to be different. Perhaps something is "broken" on the system I use IE6 on, but at least I now understand that I had the concept right, thanks to pbmods's suggestion.

(I need to keep IE6 on my main system due to my need to use an administrative web app at the university that does not yet work with IE7.)

Thanks again,
Jesse
May 20 '07 #4

Atli
Expert 5K+
P: 5,058
I'm not sure why your cookies would be stored if they have been turned off, but it is possible that PHP session ID's are transmitted using POST / GET.
May 21 '07 #5

P: 1
Yes php session will work either cookie is disable.please check this link ... http://phpsollutions.blogspot.com/20...ies-if-so.html
Jun 5 '14 #6

Post your reply

Sign in to post your reply or Sign up for a free account.