Sessions without Cookies in CodeIgniter

Why No Cookies?

I wrote a web application that is primarily used by university students. Students use it primarily from their school’s computer labs, libraries, and in their classrooms. They rarely access the application from their own computer. The most surprising (and frustrating) thing about this scenario is that at least half of these universities have disabled cookies on any school-owned computer.

This becomes a challenge because the cookie is the primary means that PHP keeps track of the session ID.  I saw 2 alternatives:

  1. Put the session ID in the URL
  2. Use POST instead of GET

I went with Option 1.  It isn’t ideal (session hijacking, anyone?) but I figured it’s the best I could do given the circumstances.

Standard PHP

When you disable cookies for standard (non CodeIgniter) PHP sites, the PHP parser does a little bit of magic. For example if your page contains an anchor tag:

<a href="/path/to/page.php">Click Me!</a>

PHP (with session cookies turned off) will render this:

<a href="/path/to/page.php?PHPSESSID=THESESSIONIDHERE">Click Me!</a>

It’s nice that PHP does that – but by default, CodeIgniter doesn’t have GET parameters enabled!

CodeIgniter Routing

CodeIgniter has a nice feature called routing that allows me to break the normal URI pattern of

/controller/method/parameter

Since I have no idea how many parameters any particular method will need, I can’t necessarily put the session id at the end of the URL. I also have the capability of adding folders where my controllers are, so I can conceivably have a uri with folders like this:

/folder/controller/method/parameter

or this:

/folder/folder/controller/method/parameter

I decided that it was best to use routing to put the session id in segment 1 of the uri (typically reserved for the controller – but could be a folder as well). My final pattern is now:

/session id/controller/method/parameter

I change /application/config/routes.php to ignore segment 1 when CodeIgniter is looking for the right controller:

$route['(\w*)/(.*)'] = "$2";

In my controllers, I make sure I retrieve the session id from the routed uri:

session_name('PHPSESSID');
$sid = $this->uri->segment(1);
session_id($sid);
session_start();

That’s it! Sessions without cookies using CodeIgniter.

3 thoughts on “Sessions without Cookies in CodeIgniter”

  1. this is cool – and – couldn’t you call another controller before calling the view — and then NOT display the session id in the URL — so is cleaner / bookmark friendly — but still have sessionid on the internal links? then if someone bookmarks page — and there is no session id — start a new session.

  2. The issue is preserving the session ID – with no cookie, where do you store it? Another possibility is to have every link post a form and make the session ID a hidden form field.

  3. In time, the network spread beyond academic and military institutions and became known as the Internet. The emergence of networking involved a redefinition of the nature and boundaries of the computer. Computer operating systems and applications were modified to include the ability to define and access the resources of other computers on the network, such as peripheral devices, stored information, and the like, as extensions of the resources of an individual computer. Initially these facilities were available primarily to people working in high-tech environments, but in the 1990s the spread of applications like e-mail and the World Wide Web , combined with the development of cheap, fast networking technologies like Ethernet and ADSL saw computer networking become almost ubiquitous. In fact, the number of computers that are networked is growing phenomenally. A very large proportion of personal computers regularly connect to the Internet to communicate and receive information. “Wireless” networking, often utilizing mobile phone networks, has meant networking is becoming increasingly ubiquitous even in mobile computing environments.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>