A simple experiment that illustrates what happens when users disable cookies is to request the script shown in Example 8-2 from a browser that has cookie support turned off. When repeated requests are made, the counter doesn't increment, and the session duration remains at zero seconds. Because a cookie isn't sent from the browser, the variable
$PHPSESSID is never set. The other side effect is that each time the page is requested, a session file is created in the /tmp directory. Many users configure their browsers to not accept cookies, and session-based applications won't work unless they are written to handle the missing cookie.
The session identifier that would have been sent as a cookie in this experiment can be transmitted in a
POST method request. While the
session_start( ) function can use
$PHPSESSID set by either a
POST method request, it is more practical to use the
GET variable. Using the
POST variable leads to the reload problem described in Chapter 6. Continuing the experiment, requests that don't contain the cookie can identify an existing session by setting an attribute in a
GET method request with the name
PHPSESSID and the value of the session ID. For example, an initial request can be made to Example 8-1 with the URL:
This creates a session and an associated file such as:
Subsequent requests can be made that include the
The response shows the counter set to
1 and the correct session duration. Repeated requests to this URL behave as expected: the counter increments, and the calculated duration increases.
Another advantage of avoiding cookies is that some browsers, such as Netscape and Internet Explorer, share cookies across all instances of the program running for a particular user on the same machine. This behavior prevents a user from having multiple sessions with a web database application.