PHPSESSID (can be changed with the directive
session.name) to the client. However, for this to happen, the following
php.ini directive must be set:
session.use_cookies = 1
However, what happens if the client does not support cookies? Then, a second mechanism comes into play, in the form of the following directive:
session.use_trans_sid = 0
Then, PHP automatically falls back into a mode in which the session ID is appended automatically to all URLs. This could create some potential security risks (session fixation and session hijacking, for example), but is also quite practical. All relevant e-commerce websites use this mechanism, for instance Amazon. If you go to their website and load a page, the session ID is automatically appended to the end of the URL.
To be able to use
session.user_trans_sid, PHP must be compiled with the switch
enable-trans-sid, something that is automatically done for the Windows and Mac OS X binaries.
The other option is to allow only cookies, not session IDs, in URLs. To do so, you can use the following
session.use_only_cookies = 1
Session IDs in the URL are generally a bad thing; because people could bookmark this information, some search engines will not include your sites, and so on. However, every e-commerce website (and most other websites as well) must take into account that some visitors (potential clients!) just do not like or do not support cookies. Here, sessions offer a convenient way to overcome this limitation.updated