The correct answer on this is NO. Using any combination of variables besides a cookie is insecure.

Think about it: when a user FIRST requests a page, the server is sending the page along with a unique value saying "HTTP is stateless, keep this so I know it's 'you' next time you call". That means, that person, in that browser (regardless of tab), running at that time, has a unique token.

If and only if they've logged in successfully, that token can now be tied to a session on the server side. Tokens are supposed to be so long and random that nobody could guess one in time.

Multiple browsers could be using the same IP address. Multiple people could have the EXACT same user agent. A cookie is the only storage system that works.

There's actually one more way, and that is to add the unique token to every single link back to the server as well as all AJAX calls, like ?PHPSESSID=my-unique-token-189481958 - but that's a pain to code.

You can set the ini-Value of session.use_trans_sid to true in order to activate appending the session id to every URL. Have a look at this.

For security purposes you should then limit the session to the IP that created the session. This is not perfectly secure though, as someone with the same IP (behind a proxy e.g.) could reuse that very same session.

If I wanted to do that then I would add the session id in the HTML code as a comment tag and use and configure the PHP code to use that session id which is included in the HTML code. I think it will be more relevant to do that instead of doing it with user IP or adding the session id in the URL.

You could create a database record or temporary file and check $_SERVER vars against the request on every page load. It's a security risk, but with enough variables (have a look at the list here) you may feel you've gotten the chance of hijack down to an acceptable level; only you know how secure your app needs to be.

You can work with session IDs in URLs, and disabling cookies with:

ini_set('session.use_cookies', 0);
ini_set('session.use_only_cookies', 0);
ini_set('session.use_trans_sid', 1);
session_start();
// IP check
if($_SESSION['ip_check'] != $_SERVER['REMOTE_ADDR']){
   session_regenerate_id();
   session_destroy();
   session_start();
}
$_SESSION['ip_check'] = $_SERVER['REMOTE_ADDR'];
// session stuff

Note: it's highly discougared to use session IDs in URLs. IP addresses can change when travelling around with a wireless card and proxy servers have the same IP address. It's easily broken when clicking 'an old URL' (with the old session ID).

You may also be interested in creating your own session handling function (in conjuction with a database). You would ignore the session ID, and bind it to the IP address. (see examples in http://php.net/manual/en/function.session-set-save-handler.php)

References:

• http://php.net/manual/en/session.configuration.php

You can save session id per IP in the database:

Create a mysql table with three fields: session_id, ip and unique temp key (for logged users) or any other condition you like. Then turn off session cookies and use_trans_sid.

then make a code to manage session behavior based on this new table!

after session_start() save session_id in the table and later receive it from table (by IP and any other condition) and then call

session_id($in_table_session_id);

for more information and complete guide see: https://gist.github.com/mimrahe/77415f4a9e238c313bbe8c42f8a6b7fe