How to Maintain the Session State

The session ID has to be sent to the browser with every response and much more importantly has to be sent back to the server with every request.

The easiest way to do so is to use cookies. PHP then sends a cookie with the name PHPSESSID (can be changed with the directive to the client. However, for this to happen, the following php.ini directive must be set:

session.use_cookies = 1

However, what happens if the client does not support cookies? Then, a second mechanism comes into play, in the form of the following directive:

session.use_trans_sid = 0

Then, PHP automatically falls back into a mode in which the session ID is appended automatically to all URLs. This could create some potential security risks (session fixation and session hijacking, for example), but is also quite practical. All relevant e-commerce websites use this mechanism, for instance Amazon. If you go to their website and load a page, the session ID is automatically appended to the end of the URL.

To be able to use session.user_trans_sid, PHP must be compiled with the switch enable-trans-sid, something that is automatically done for the Windows and Mac OS X binaries.

The other option is to allow only cookies, not session IDs, in URLs. To do so, you can use the following php.ini directive:

session.use_only_cookies = 1

Session IDs in the URL are generally a bad thing; because people could bookmark this information, some search engines will not include your sites, and so on. However, every e-commerce website (and most other websites as well) must take into account that some visitors (potential clients!) just do not like or do not support cookies. Here, sessions offer a convenient way to overcome this limitation.