Requiring Cookies

If the browser doesn’t accept cookies, a session cannot be established because the PHP directive
sessions_use_only_cookies has been set to 1 and the alternative (passing the PHPSESSID in the query
string of the URL) has been disabled by setting sessions.use_trans_sid to 0. This is a best practice, as
recommended by Zend see http://php.net/session.configuration:

URL-based session management has additional security risks compared to cookiebased
session management. Users may send a URL that contains an active session ID
to their friends by e-mail or users may save a URL that contains a session ID to their
bookmarks and access your site with the same session ID always, for example.


When PHPSESSID appears in the query string of a site, it’s typically a sign that the hosting provider
has locked down PHP and doesn’t allow the ini_set() function to set PHP directives at runtime.
Alternatives are to move the settings into the .htaccess file (if the host is running PHP as an Apache
module) or into a local php.ini file (if the host is running PHP as a CGI executable).