How to pass session ID via URL

Hi everyone,

how do I go about passing a session ID via an URL?

On one of my pages I use session_start(); and then add various values to session variables like so: _SESSION['name'] = _POST[name’];. However, if cookies are disabled a lot of content is missing when someone proceeds to the next page. I’ve heard that PHP can automatically pass the session ID when cookies are disabled, but how to enable this function? Also do I need to sanitize the ID at all?

Please help me out, I haven’t been able to find much info on this topic.

Thank you in advance.

Good evening :slight_smile:

You don’t really need to pass session ID’s around via the URL.

All you need to do is add session_start() at the top of all your php pages that needs to access the global SESSION array. Sessions are stored server side so you don’t need to keep track of those ID’s, it does that automatically and it will be unique to everyone visiting your site.

If you for instance create a login page you will validate the user input and store the logged in status in the session array.

<?php $_SESSION['uid'] = $db_results->user_id;
$_SESSION['email_address'] = $db_results->user_email;
$_SESSION['logged_in'] = true;

Wherever you used session_start() at the top of php pages you will be able to access the stored info.

You can read more about php sessions here:

Hope this answers your question simply.

Sure, he doesn’t need to but he wants to :wink:

Session ID can be passed by adding it manually to your links or php can automatically add them to all your links on the page, you can read the examples here.

Generally, passing session ID’s via all links on your site is not a good idea - it’s best to use it only in specific situations - like if you have a series of forms then pass session ID manually only when the user navigates to the next form in the series - in forms you can pass the session ID either as part of the form’s action attribute or in a hidden input element.

If you turn off cookies but don’t disable storing the session in the querystring then the session id will automatically be passed in the URL.

Hi kobusbeets, Lemon Juice and felgall,

thank you for all of your input and please excuse the late reply.

I did manage to pass the session ID with cookies turned off. I’ve noticed that if I pass the ID manually the query string will of course include the PHPSESSID=value. If PHP passes the the ID automatically, then I don’t see the PHPSESSID=value appended to the URL. Is this what the PHP manual refers to when it states that “PHP is capable of transforming links transparently”? If PHP can pass the ID automatically (with the benefit that the ID is not visible in the URL), then why would one have the need to pass the ID manually?

Thank you again!

PHP can pass the session id in two ways:

  1. session cookie (retained in the browser itself)
  2. querystring (on the end of the URL)

It tries to pass it in a session cookie first. If you have disabled that option or your visitor has disabled that option then it gets passed in the querystring instead. If you disable the querystring option and your visitor disables the cookie option then the session can’t get passed. If you disable the cookie option then it will always get passed in the querystring.

It gets passed automatically either way.

Thank you Stephen for your prompt reply.