I am considering always passing ?PHPSESSID=x in the query string for
each relevant url as a workaround.
This is not the best practice, but if you decide to choose this method (because it is easy), you can make something like this:
<?php
define("COOKIE_NAME", "PHPSESSID");
define("DOMAIN", "example.com");
function is_valid_cookie($cookie){
//Test if the cookie is valid and does not have any malicious chars (";", etc)
//...
return true;
//...
return false;
}
function is_logged_in(){
//Test if the user is logged in
//...
return true;
//...
return false;
}
function sanitize_url($url){
//Sanitize URL
//If you have PHP >= 4.4.2 or PHP >= 5.1.2, I believe you have nothing to worry here
//...
return $url;
}
function remove_querystring_var($url, $toRemove){
//Removes $toRemove from query string of the $url
$parsed = array();
parse_str(substr($url, strpos($url, '?')+1), $parsed);
$url = substr($url, 0, strpos($url, '?'));
unset($parsed[$toRemove]);
if(!empty($parsed)){
$url .= '?' . http_build_query($parsed);
}
return $url;
}
if(isset($_GET[COOKIE_NAME])){
if(is_valid_cookie($_GET[COOKIE_NAME])){
setcookie(COOKIE_NAME, $_GET[COOKIE_NAME], time()+24*3600, "/", ".".DOMAIN, true, true);
header("Location: ".sanitize_url(remove_querystring_var("https://".DOMAIN.$_SERVER["REQUEST_URI"], COOKIE_NAME)));
exit(0);
}
else{
header("Location: ".sanitize_url(remove_querystring_var("https://".DOMAIN.$_SERVER["REQUEST_URI"], COOKIE_NAME)));
exit(0);
}
}
else if(!is_logged_in()){
echo "Invalid session!";
exit(0);
}
//...
echo "Welcome!";
?>
Example:
https://mail.google.com/mail/u/0/?auth=xxxxx&anything=yyyyy
Google will use and exclude the &auth variable, but will keep the &anything, because &auth have sensitive data for Google.