Why Do PHP Cookies and Sessions Work Even When Cookies Are Disabled?

I am trying to explain how cookies and sessions work in a class I teach, but I have hit a wall when it comes to the interaction between cookies and the state of the privacy settings in Internet Explorer. I would appreciate any help anyone can offer, please.

First, consider the following very simple JavaScript function:

[CODE=javascript]function CookiesEnabled( ) {
SetCookie( "testcookie ", "testcookie " ) ;
var bCookiesEnabled =
( GetCookie( "testcookie " ) == "testcookie " ) ;
DeleteCookie( "testcookie " ) ;
return bCookiesEnabled ;
}[/CODE]
This function indeed returns true or false depending upon the IE privacy settings. When I block cookies, indeed the function returns false.

Now consider two very simple PHP scripts:

[CODE=php]<?php // BareBonesGetCoo kie.php
print "<p>Cookie 'name' is set to: " .
$_COOKIE['name'] . "</p>" ;
?>

<?php // BareBonesSetCoo kie.php
setcookie( "name", "Jesse" ) ;
print "<p>Cookie 'name' has been set to: " .
$_COOKIE['name'] . "</p>" ;
?>[/CODE]
If I run the first script first, I get a blank result as expected. But if I run the second and then the first, I get "Cookie 'name' is set to: Jesse" regardless of my IE privacy settings. I do not understand this.

Here's the example that is really causing me fits. I have written a very simple PHP 5 script that stores some data in session variables:

[CODE=php]<?php // Script #1
session_start() ;
$_SESSION[ "FirstName" ] = "Robert" ;
$_SESSION[ "LastName" ] = "Thompson" ;
?>[/CODE]
I can then retrieve the data with another script:

[CODE=php]<?php // Script #2
session_start() ;
print "<h2>RetrieveSe ssionVariables. php</h2>" ;
if ( isset( $_SESSION[ 'FirstName' ] ) ) {
print "<p><i>Firs t Name:</i>&nbsp; " .
$_SESSION[ 'FirstName' ] ;
print "<br/><i>Last Name:</i>&nbsp; " .
$_SESSION[ 'LastName' ] . "</p>" ;
} else {
print "<p>The session variables are not set.</p>";
}
?>[/CODE]
This all works just fine. However, it works even when cookies are disabled. This is what I cannot understand.

I have read the postings on this and other websites that state that session IDs can be passed in URL parameters, hidden form fields, or cookies. In the case of the simple code above, it seems to me that the only option is cookies. But when I run the above code from my web server (a real server that I must access through the Internet, not just locahost) and push the Internet Explorer privacy settings to their maximum, disabling all cookies, Script #2 still prints the data stored in the session variables.

I have shut down all instances of IE to make sure that the session is closed. I have run Script #2 first and indeed I get the message that the session variables are not set. But if I then run Script #1 followed by Script #2, I see the values in the session variables.

The way I understand that session IDs work with cookies is illustrated in the figure posted at:



This figure and everything I read tells me that cookies must be enabled for sessions to work (assuming that one is not using forms). I am quite sure that I know how to block cookies, as evidenced by the JavaScript code at the top of this posting and the fact that it behaves properly when I change my browser privacy settings.

I would really appreciate it if someone could please explain to me what's going on here, that is, why PHP cookies and sessions seem to work regardless of my browser privacy settings.

Thank you sincerely.

Jesse Heines
Computer Science
UMass Lowell