How to disable PHP session cookie?

Question

I am writing PHP code where I want to pass the session id myself using POST. I don\'t want a cookie to store the session, as it should get lost when the user gets out of the

Answer 1

I was having trouble with PHP's documented approach to destroying a session w/ cookies.

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

This was resulting in my seeing the cookie set twice:

Set-Cookie: SESSION_NAME=deleted; expires=Sat, 08-Jan-2011 14:09:10 GMT; path=/; secure
Set-Cookie: SESSION_NAME=1_4f09a3871d483; path=/

As documented in the PHP comments, setting the cookie value to something other than empty ('') gets rid of the "deleted" value, but the second cookie set remained.

To get rid of that, I had to add the code suggested above:

ini_set('session.use_cookies', '0');

I haven't looked at the source for sessions handling, but my guess is that setcookie(...) is bypassing the sessions module, so sessions doesn't know I called it. So, it is setting a default cookie after I set up a deleted cookie.

I was testing on a mac: PHP 5.3.6 with Suhosin-Patch (cli) (built: Sep 8 2011 19:34:00)