[RESOLVED] sessions w/o cookies

[Ultimater]

Why session cookies is not an option:
Users will enter my PHP page and I want them to be able to reload the page as many times as they want and be given a new session nor do I want to lose users or receive complaints about cookies being enabled. If I were to use session cookies, the cookie wouldn't expire upon page reload and give the user a new session.

The user enters my page via a GET request: filloutform.php and is given a unique session
The user submits the form via a POST request: filloutform.php?step=2 the session from the first page is passed along
The user submits that form via a POST request: filloutform.php?step=3 the session is passed along from the 2nd page that was passed from the first page which was generated when the user first entered the entry page.
etc.

Upon the entry of the system filloutform.php, I want PHP to generate a unique string for the user e.g. b6b6991099b90dfe8c76b474a5790842 store it in a variable $sessionid, log it into the database and use it twice within my form:

Code:

<form method="post" action="filloutform.php?step=2">
...
<img src="imagegenerator.php?sessionid=<? echo $sessionid; ?>" alt="Confirmation Image">
<input type="text" name="confirmationcode" value="">
<input type="hidden" name="sessionid" value="<? echo $sessionid; ?>">
...
</form>

How would I generate a unique string for each user that enters the entry of the system and each time they reload the entry page it would generate a new string?

[themarty]

http://www.php.net/session
if session.use_only_cookies is set to 0 PHP will automatically pass the session-id through the url instead of cookies, when cookies are not available

p.s. i think trans-id also has te be enabled.
anyways, you can find all the info at that page - including the risks of using the url

[Ultimater]

Thanks for the information themarty, not quite what I was looking for...
I think the buzz word I was looking for here was a UUID (Universal Unique Identifier).

Code:

mysql_query("SELECT UUID()")

The function uniqid also seems to do what I want.

Code:

md5(uniqid(rand(), true))

[themarty]

but why wouldn't you just let PHP handle it? with the settings i gave you, you won't have to worry about excluding people who have cookies disabled.
involving mysql just generates extra overhead. .. unless you want to create your own session-handler using a database

[Vectorman211]

I think that's exactly what he wants to do. I don't see the reason for it however, you still have to keep track of who the user is somehow .

[themarty]

I don't see the reason for it however, you still have to keep track of who the user is somehow

well, that's not too hard.
when someone's trying to log in, you've already appointed a session-id to him, so once he has succesfully logged in you can record his user-id with his session-id