some users don't have cookies enabled, so i want to work with sessions.

but i'm not sure how this works exactely and in detail. in the url there is sometimes a session id displayed where my id and password are stored encrypted somehow. but how do i manage to work with this session id in the url?

edit: i want to be able to login to a page but with cookies disabled. so only for one session. how do i do this?

edit: i want to be able to login to a page but with cookies disabled. so only for one session. how do i do this?

This can be dangerous if the session is passed as a GET var. It is (relatively) easy to sniff out GET variables and if some one intercepts the session ID they can gain access to your site with out actually logging in.

From www.php.net/session:
There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.

Also, the session ID you see is simply a unique ID number generated by PHP. PHP uses the ID number much like an array index or key value to access the data in a given element of the "array". Session data is stored on the server (in a file I believe) and is linked to this ID number.

Also on php.net
There are two methods to propagate a session id:
- Cookies
- URL parameter

The session module supports both methods. Cookies are optimal, but because they are not always available, we also provide an alternative way. The second method embeds the session id directly into URLs.

PHP is capable of transforming links transparently. Unless you are using PHP 4.2 or later, you need to enable it manually when building PHP. Under Unix, pass --enable-trans-sid to configure. If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically.

hi! thx for the info! i read that too but it's not clear to me how exactely this looks on code...

i know phpbb uses this sort of login if no cookies are enabled...

Hate to keep qoteing php.net but....

From http://php.net/session:
<?php
if (!session_is_registered('count')) {
session_register('count');
$count = 1;
} else {
$count++;
}
?>

<p>
Hello visitor, you have seen this page <?php echo $count; ?> times.
</p>

<p>
To continue, <a href="nextpage.php?<?php echo strip_tags(SID); ?>">click
here</a>.
</p>

To bypass the cookie you simply add [some_page.php]?<? echo SID; ?> to your links. (They use strip_tags() for security reasons.) I'm pretty sure PHP will catch on when you pass the session id as a GET variable and will transform all your links to include the session id. If PHP doesn't catch on, you can help it do so by editing the php.ini.