Why No Cookies?
I wrote a web application that is primarily used by university students. Students use it primarily from their school’s computer labs, libraries, and in their classrooms. They rarely access the application from their own computer. The most surprising (and frustrating) thing about this scenario is that at least half of these universities have disabled cookies on any school-owned computer.
This becomes a challenge because the cookie is the primary means that PHP keeps track of the session ID. I saw 2 alternatives:
- Put the session ID in the URL
- Use POST instead of GET
I went with Option 1. It isn’t ideal (session hijacking, anyone?) but I figured it’s the best I could do given the circumstances.
When you disable cookies for standard (non CodeIgniter) PHP sites, the PHP parser does a little bit of magic. For example if your page contains an anchor tag:
PHP (with session cookies turned off) will render this:
It’s nice that PHP does that – but by default, CodeIgniter doesn’t have GET parameters enabled!
CodeIgniter has a nice feature called routing that allows me to break the normal URI pattern of
Since I have no idea how many parameters any particular method will need, I can’t necessarily put the session id at the end of the URL. I also have the capability of adding folders where my controllers are, so I can conceivably have a uri with folders like this:
I decided that it was best to use routing to put the session id in segment 1 of the uri (typically reserved for the controller – but could be a folder as well). My final pattern is now:
I change /application/config/routes.php to ignore segment 1 when CodeIgniter is looking for the right controller:
In my controllers, I make sure I retrieve the session id from the routed uri:
$sid = $this->uri->segment(1);
That’s it! Sessions without cookies using CodeIgniter.