How to handle users with cookies disabled?

I have a new customer that is having some issues with our SaaS app. In digging through things and trying to reproduce the symptoms, I am pretty sure they have cookies disabled.

Our frontend config is:

    'enableAutoLogin' => true,
    'enableSession' => true,
    'identityCookie' => [
        'name' => '_identity-frontend',
        'httpOnly' => true,

If a user refuses to enable cookies, is our only solution to support PHPSESSIONID as a get parameter? If so, how do we automate this? It’s going to be very tedious to go through and add [‘PHPSESSIONID’ => …] to every Url::to in the app. Plus, we’d have to do some kind of test to see if the remote user has cookies enabled to not add the get parameter, etc. Just a total pain.

How is this best handled, assuming the user will not have cookies enabled but we need to let them login once and stay logged in as they bounce between app pages?

1 Like

I would forget that specific user.

I can’t let him/her lay an unnecessary burden on my app and/or expose other users to an undeniable vulnerability of having session IDs in urls.

PHP session without cookies - Stack Overflow.


I can only agree. If it’s their goal to disable all cookies they must have a reason for it. For example they don’t want data to get stored somewhere. You should just respect that and don’t store their credentials/name/whatever on your server and ignore them.

It’s not worth the effort in general. All workarounds either require a large amount of time or could cause heavy security issues.


Other have said it well.
I would add that explain to them why you need cookies for that and that if they cannot enable it the app wont work and let them make their choice!

There is always a churn, unfortunately!

1 Like