Can sessions work without cookies? If so, how does a session work without cookies enabled in PHP?

This is a great interview question because even if you do not know the answer, you could come up with a fairly accurate answer on your own with some basic knowledge of PHP sessions and some analytical thinking. See if you can possibly think of how PHP sessions would work without cookies enabled in the browser.

The answer to how PHP sessions can work without cookies

Sessions in PHP normally do use cookies to function. But, PHP sessions can also work without cookies in case cookies are disabled or rejected by the browser that the PHP server is trying to communicate with.

How PHP sessions work without cookies

PHP does two things in order to work without cookies:

1. For every HTML form that PHP finds in your HTML code (which of course can be part of a PHP file), PHP will automatically add a hidden input tag with the name PHPSESSID right after the <form> tag. The value of that hidden input tag would be whatever value PHP assigns your session ID. So, for example, the hidden input could look something like this:


<input type="hidden" name="PHPSESSID" value="12345678" >


This way, when the form is submitted to the server, PHP will be able to retrieve the session identifier from the form and will know who it is communicating with on the other end, and will also know which session to associate the form parameters with if it is adding the form parameters to the PHP session.

2. PHP will find all the links in your HTML code, and will modify those links so that they have a GET parameter appended to the link itself. That GET parameter will also have the name of PHPSESSID, and the value will of course be the unique session identifier – so the PHP session ID will basically be a part of the URL query string.

So, for example, if your code has a link that originally looks like this:

<a href="">Go to this link><a/>

When modified by PHP to include the session ID, it could look something like this:

<a href="">Go to this link</>

PHPSESSID can have it’s name changed in php ini file

Note that we said PHPSESSID is the name that will be used to hold the PHP session value. The name PHPSESSID can actually be changed to whatever you want if you modify the value in the php.ini file.

What is a disadvantage of using PHP sessions without cookies enabled?

A disadvantage is that using PHP sessions without cookies is the fact that if you share a URL that has the PHP session ID appended to it with someone else, then they could potentially use the same exact session that you were using. It also opens you up to session hijacking – where a user’s session is deliberately stolen so that a hacker can impersonate you and do some damage.

Hiring? Job Hunting? Post a JOB or your RESUME on our JOB BOARD >>

Subscribe to our newsletter for more free interview questions.

FOLLOW Varoon Sahgal, Author of ProgrammerInterviewon