Of course, if the user disables cookies, then the PHP developer must enable cookieless-sessions (they are enabled by default in recent versions of PHP) and, as the PHP manual warns, cookieless sessions are subject to attacks.
Quote:
session.use_only_cookies
specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0. Defaults to 1 (enabled) since PHP 5.3.0.
|