Passing Session IDs in the Query String

So far, you have relied on a cookie to save the session ID between script requests. On its own, this is not the most reliable way of saving state because you cannot be sure that the browser will accept cookies. You can build in a failsafe, however, by passing the session ID from script to script embedded in a query string. PHP makes a name/value pair available in a constant called SID if a cookie value for a session ID cannot be found. You can add this string to any HTML links in session-enabled pages:

<a href="anotherpage.html?<?php print SID; ?>">Another page</a>

will reach the browser as

<a href="anotherpage.html?
PHPSESSID=08ecedf79fe34561fa82591401a01da1">Another page</a>

The session ID passed in this way is automatically recognized in the target page when session_start() is called, and you have access to session variables in the usual way.

If the php.ini directive session.use_trans_sid is set to on, this query string is automatically added to every link in your pages. This option is disabled by default, however, so explicitly adding the SID constant to links makes your scripts more portable.

There are security issues with regard to session IDs in query strings. Links pasted into emails by users or left in the history of a browser could be hijacked by third parties. If you use session IDs in URLs, you should be aware of this risk. Consider implementing an expiry scheme for sessions that have been idle for longer than a fixed length of time, or even requiring your users to enable cookies.