Sessions without Cookies in CodeIgniter

by Jon Trelfa Posted on 09/20/2011

Why No Cookies?

I wrote a web application that is primarily used by university students. Students use it primarily from their school’s computer labs, libraries, and in their classrooms. They rarely access the application from their own computer. The most surprising (and frustrating) thing about this scenario is that at least half of these universities have disabled cookies on any school-owned computer.

This becomes a challenge because the cookie is the primary means that PHP keeps track of the session ID.  I saw 2 alternatives:

  1. Put the session ID in the URL
  2. Use POST instead of GET

I went with Option 1.  It isn’t ideal (session hijacking, anyone?) but I figured it’s the best I could do given the circumstances.

Standard PHP

When you disable cookies for standard (non CodeIgniter) PHP sites, the PHP parser does a little bit of magic. For example if your page contains an anchor tag:

<a href="/path/to/page.php">Click Me!</a>

PHP (with session cookies turned off) will render this:

<a href="/path/to/page.php?PHPSESSID=THESESSIONIDHERE">Click Me!</a>

It’s nice that PHP does that – but by default, CodeIgniter doesn’t have GET parameters enabled!

CodeIgniter Routing

CodeIgniter has a nice feature called routing that allows me to break the normal URI pattern of

/controller/method/parameter

Since I have no idea how many parameters any particular method will need, I can’t necessarily put the session id at the end of the URL. I also have the capability of adding folders where my controllers are, so I can conceivably have a uri with folders like this:

/folder/controller/method/parameter

or this:

/folder/folder/controller/method/parameter

I decided that it was best to use routing to put the session id in segment 1 of the uri (typically reserved for the controller – but could be a folder as well). My final pattern is now:

/session id/controller/method/parameter

I change /application/config/routes.php to ignore segment 1 when CodeIgniter is looking for the right controller:

$route['(\w*)/(.*)'] = "$2";

In my controllers, I make sure I retrieve the session id from the routed uri:

session_name('PHPSESSID');
$sid = $this->uri->segment(1);
session_id($sid);
session_start();

That’s it! Sessions without cookies using CodeIgniter.

About Jon Trelfa

I live in Detroit, Mi.
This entry was posted in Code and tagged , . Bookmark the permalink.

2 Responses to Sessions without Cookies in CodeIgniter

  1. cartalot says:
    09/20/2011 at 1:37 pm

    this is cool – and – couldn’t you call another controller before calling the view — and then NOT display the session id in the URL — so is cleaner / bookmark friendly — but still have sessionid on the internal links? then if someone bookmarks page — and there is no session id — start a new session.

    Reply
  2. Jon Trelfa says:
    12/07/2011 at 4:15 pm

    The issue is preserving the session ID – with no cookie, where do you store it? Another possibility is to have every link post a form and make the session ID a hidden form field.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>