PhyCoMath PhyCoMath - 1 year ago 96
Ini Question

Purpose of checking session.use_only_cookies when creating a session?

I am currently creating a session where I check the ini file to see if

is set. Is this really necessary? I mean, is there a way for the client to mess with the
file? The reason why I am asking is because if the user is redirected to the same domain, this check would just loop over and over again.

How can I prevent this when the session is global? or is this even necessary to add when creating a session?

$session_life = 3600;
$session_name = 'SecUser';
$http_only = true;
if(ini_set('session.use_only_cookies',1) === false){
header('500 Internal Server Error', true, 500);
$cookieParams = session_get_cookie_params();
session_set_cookie_params($session_life, $cookieParams['path'], $cookieParams['domain'], $secure, $http_only);

Answer Source

In my opinion it's not necessary.

And no, the client can't mess with the ini file. That's for sure.

If you just want a standard session with a session id, you can do it the quick and easy way: Just use session_start() - and that's it! No ini_set(), no session_get_cookie_params(), no session_set_cookie_params(), no session_name(), no session_regenerate_id(). All those functions are only required for special cases.

EDIT after comment:
In some environments (e.g. shared hosting) you don't have access to php.ini. That's why PHP lets you get and/or set some of those settings from whithin the app. Besides, there might be some (very exotic) use cases where somebody would want to change this ini setting dynamically...

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download