The session ID has to be sent to the browser with every response andmuch more importantlyhas to be sent back to the server with every request. The easiest way to do so is to use cookies. PHP then sends a cookie with the name PHPSESSID (can be changed with the directive session.name) to the client. However, for this to happen, the following php.ini directive must be set: session.use_cookies = 1 However, what happens if the client does not support cookies? Then, a second mechanism comes into play, in the form of the following directive: session.use_trans_sid = 0 Then, PHP automatically falls back into a mode in which the session ID is appended automatically to all URLs. This could create some potential security risks (session fixation and session hijacking, for example), but is also quite practical. All relevant e-commerce websites use this mechanism, for instance Amazon. If you go to their website and load a page, the session ID is automatically appended to the end of the URL. To be able to use session.user_trans_sid, PHP must be compiled with the switch enable-trans-sid, something that is automatically done for the Windows and Mac OS X binaries. The other option is to allow only cookies, not session IDs, in URLs. To do so, you can use the following php.ini directive: session.use_only_cookies = 1
|