How to disable session in php?
Remark: I updated this answer several times by adding more information and striking out previous sentences that I discovered as being erroneous. On the last edit I reformulated it completely, removed the wrong sentences and references to PHP source code.
The documentation of the Sessions
extension reads:
Session support is enabled in PHP by default. If you would not like to build your PHP with session support, you should specify the --disable-session option to configure.
Calling session_status()
or any other session function on a PHP compiled with --disable-session
triggers a PHP Fatal Error that stops the script because the function does not exist:
$ php -m | grep session
$ php -r 'session_start();'
PHP Fatal error: Call to undefined function session_start() in Command line code on line 1
The documentation also says:
The Windows version of PHP has built-in support for this extension. You do not need to load any additional extensions in order to use these functions.
This probably means there is no way to remove the sessions functionality from PHP on Windows.
How to disable the sessions without recompiling PHP
You can disable the session functions by setting empty or invalid values for session.save_handler
or session.serialize_handler
in php.ini
.
For testing you can set session.save_handler
, for example, in the command line using the -d
option; it overrides the value read from php.ini
:
$ php -d session.save_handler=foo -r 'session_start(); var_dump(session_status() == PHP_SESSION_DISABLED);'
PHP Warning: session_start(): Cannot find save handler 'foo' - session startup failed in Command line code on line 1
PHP Stack trace:
PHP 1. {main}() Command line code:0
PHP 2. session_start() Command line code:1
bool(true)
As you can see session_start()
triggers a warning complaining about the handler not being valid and the session status is disabled
(it cannot start).
The sessions cannot be disabled from the PHP code
If you try to set an invalid value to session.save_handler
at runtime, ini_set()
triggers a warning and doesn't change the value.
$ php -r 'ini_set("session.save_handler", "foo"); session_start(); var_dump(session_status() == PHP_SESSION_ACTIVE);'
PHP Warning: ini_set(): Cannot find save handler 'foo' in Command line code on line 1
PHP Stack trace:
PHP 1. {main}() Command line code:0
PHP 2. ini_set() Command line code:1
bool(true)
The session is active
. It started successfully.
But they can be re-enabled from the PHP code if they were disabled from settings
However, even if the handler is set as invalid in php.ini
or in the command line, the PHP code can fix it before it calls session_start()
:
$ php -d session.save_handler=foo -r 'ini_set("session.save_handler", "files"); session_start(); var_dump(session_status() == PHP_SESSION_ACTIVE);'
bool(true)
Again, session_start()
succeeded, the session is active
.
Conclusion
You can disable the session functions by setting empty or invalid value for session.save_handler
or session.serialize_handler
in php.ini
.
Please note that if any of these values is invalid, session_start()
triggers a PHP Warning
.
However, because both these settings can be modified from everywhere (PHP_INI_ALL
means php.ini
, httpd.conf
, .htaccess
, PHP code), they can be, as well, set back to valid values from the PHP code, cancelling this way any effort to disable sessions.
Apparently there is no way to enforce disabling the session, apart from compiling PHP without session support, as explained above.
Upon consulting the PHP source there is the following file at ext/session/tests/session_status_disabled.phpt
:
--TEST--
Test session_status() function : disabled
--SKIPIF--
<?php include('skipif.inc'); ?>
--INI--
session.save_handler=non-existent
--FILE--
<?php
echo "*** Testing session_status() : disabled\n";
var_dump(session_status() == PHP_SESSION_DISABLED);
?>
--EXPECTF--
*** Testing session_status() : disabled
bool(true)
So, when there is no save_handler for the session, then session_status()
will return PHP_SESSION_DISABLED
.
Conclusion:
Disable sessions by doing the following:
Modify this line in the php.ini file:
session.save_handler=non-existent
If you are running a web server it may have its own config file which overrides the ini file. For me, in Apache, I had to comment out the following lines in /etc/httpd/conf.d/php.conf
:
#php_value session.save_handler "files"
#php_value session.save_path "/var/lib/php/session"
Or alternatively set the values there instead.