I don't think it's too much to ask your users to enable cookies. I find it silly when people turn them off entirely.

我认为要求您的用户启用 cookie 并不过分。当人们完全关闭它们时，我觉得很愚蠢。

Otherwise, you can set your session.use_only_cookiesto "0" to force the appendage of a session ID to URLs within your php. This approach, however, has several draw backs. Mainly that of keeping the state within the URL, as opposed to the Cookie header. If a user were to copy and paste the URL of the page they were on, and someone else were to click on it, they would both be using the same session.

否则，您可以将您的设置session.use_only_cookies为“0”以强制将会话 ID 附加到您的 php.ini 文件中的 URL。然而，这种方法有几个缺点。主要是将状态保留在 URL 中，而不是 Cookie 标头。如果用户要复制并粘贴他们所在页面的 URL，而其他人要单击它，那么他们将使用相同的会话。

<?php
     ini_set("session.use_cookies", 0);
     ini_set("session.use_only_cookies", 0);
     ini_set("session.use_trans_sid", 1);
     ini_set("session.cache_limiter", "");
     session_start();

You can set the ini-Value of session.use_trans_sidto true in order to activate appending the session id to every URL. Have a look at this.

您可以将 ini-Value 设置session.use_trans_sid为 true 以激活将会话 ID 附加到每个 URL。看看这个。

For security purposes you should then limit the session to the IP that created the session. This is not perfectly secure though, as someone with the same IP (behind a proxy e.g.) could reuse that very same session.

出于安全目的，您应该将会话限制为创建会话的 IP。但这并不完全安全，因为具有相同 IP 的人（例如在代理后面）可以重用相同的会话。

You can work with session IDs in URLs, and disabling cookies with:

您可以使用 URL 中的会话 ID，并通过以下方式禁用 cookie：

ini_set('session.use_cookies', 0);
ini_set('session.use_only_cookies', 0);
ini_set('session.use_trans_sid', 1);
session_start();
// IP check
if($_SESSION['ip_check'] != $_SERVER['REMOTE_ADDR']){
   session_regenerate_id();
   session_destroy();
   session_start();
}
$_SESSION['ip_check'] = $_SERVER['REMOTE_ADDR'];
// session stuff

Note: it's highly discougared to use session IDs in URLs. IP addresses can change when travelling around with a wireless card and proxy servers have the same IP address. It's easily broken when clicking 'an old URL' (with the old session ID).

注意：强烈建议不要在 URL 中使用会话 ID。携带无线网卡四处旅行时，IP 地址可能会发生变化，并且代理服务器具有相同的 IP 地址。单击“旧 URL”（使用旧会话 ID）时，它很容易被破坏。

You may also be interested in creating your own session handling function (in conjuction with a database). You would ignore the session ID, and bind it to the IP address. (see examples in http://php.net/manual/en/function.session-set-save-handler.php)

您可能还对创建自己的会话处理函数（与数据库结合使用）感兴趣。您将忽略会话 ID，并将其绑定到 IP 地址。（参见http://php.net/manual/en/function.session-set-save-handler.php 中的示例）

References:

参考：

• http://php.net/manual/en/session.configuration.php

• http://php.net/manual/en/session.configuration.php

You can save session id per IP in the database:

您可以在数据库中保存每个 IP 的会话 ID：

Create a mysql table with three fields: session_id, ip and unique temp key (for logged users) or any other condition you like. Then turn off session cookies and use_trans_sid.

创建一个包含三个字段的 mysql 表：session_id、ip 和唯一临时键（对于登录用户）或任何其他您喜欢的条件。然后关闭会话 cookie 和 use_trans_sid。

then make a code to manage session behavior based on this new table!

然后根据这个新表编写代码来管理会话行为！

after session_start()save session_id in the table and later receive it from table (by IP and any other condition) and then call

在session_start()表中保存 session_id 之后从表中接收它（通过 IP 和任何其他条件）然后调用

session_id($in_table_session_id);

for more information and complete guide see: https://gist.github.com/mimrahe/77415f4a9e238c313bbe8c42f8a6b7fe

有关更多信息和完整指南，请参阅：https: //gist.github.com/mimrahe/77415f4a9e238c313bb​​e8c42f8a6b7fe

You could create a database record or temporary file and check $_SERVERvars against the request on every page load. It's a security risk, but with enough variables (have a look at the list here) you may feel you've gotten the chance of hiHyman down to an acceptable level; only you know how secure your app needs to be.

您可以创建一个数据库记录或临时文件，并$_SERVER在每次页面加载时根据请求检查变量。这是一个安全风险，但如果有足够多的变量（查看这里的列表），您可能会觉得自己有机会被劫持到可接受的水平；只有您知道您的应用程序需要多安全。

If I wanted to do that then I would add the session id in the HTML code as a comment tag and use and configure the PHP code to use that session id which is included in the HTML code. I think it will be more relevant to do that instead of doing it with user IP or adding the session id in the URL.

如果我想这样做，那么我会在 HTML 代码中添加会话 ID 作为注释标签，并使用和配置 PHP 代码以使用包含在 HTML 代码中的会话 ID。我认为这样做比使用用户 IP 或在 URL 中添加会话 ID 更相关。

The correct answer on this is NO. Using any combination of variables besides a cookie is insecure.

正确答案是否定的。使用除 cookie 之外的任何变量组合都是不安全的。

Think about it: when a user FIRST requests a page, the server is sending the page along with a unique value saying "HTTP is stateless, keep this so I know it's 'you' next time you call". That means, that person, in that browser (regardless of tab), running at that time, has a unique token.

想一想：当用户 FIRST 请求一个页面时，服务器会发送该页面以及一个唯一的值，该值表示“HTTP 是无状态的，保留此值，以便我知道下次您调用时它是‘你’”。这意味着，那个人，在那个浏览器（不管选项卡）中，当时运行，拥有一个唯一的令牌。

If and only if they've logged in successfully, that token can now be tied to a session on the server side. Tokens are supposed to be so long and random that nobody could guess one in time.

当且仅当他们成功登录时，该令牌现在可以绑定到服务器端的会话。代币应该很长而且很随机，以至于没有人能及时猜到。

Multiple browsers could be using the same IP address. Multiple people could have the EXACT same user agent. A cookie is the only storage system that works.

多个浏览器可能使用相同的 IP 地址。多人可以拥有完全相同的用户代理。cookie 是唯一有效的存储系统。

There's actually one more way, and that is to add the unique token to every single link back to the serveras well as all AJAX calls, like ?PHPSESSID=my-unique-token-189481958- but that's a pain to code.

实际上还有另一种方法，那就是将唯一令牌添加到每个返回服务器的链接以及所有 AJAX 调用中，例如?PHPSESSID=my-unique-token-189481958- 但这对编码来说很痛苦。