Well, I seem to be having a problem no one else can relate to, which
means either one of two things: I've been staring at this for too long and
can't see the forest for the trees, or I'm being too opaque. Not much I
can do about the former this far in, so I'll try to rephrase--with
apologies for a rather lengthy post. If you don't want to work your way
through the rehash, please feel free to skip to the last paragraph.

My script provides basic shopping cart functionality, which relies on
access to the $_SESSION super global. Assorted sanity checks (XSS, SQL
injection, regex conformity) mean that a POST reload with previous values
might be required. This can be achieved by filling in value attributes
and/or hidden input fields, so no need for sessions here.

The only way to save state is by cookie. This is a requirement and
explicitly rules out trans id or SID session propagation. If
the client doesn't accept cookies, only one item per request will be
processed, and the user's choice will be lost should he decide to quit the
application.

Now, session_start() will create a new session file for each and
every scripted page request if there's no state (i.e., neither cookies, nor
trans id's). This is something I'd like to avoid. On the other hand, I
do not want to go through any of the server or client-side workarounds
(redirects/loads, javascript) in order to make calls to session_start() a
function of whether cookies are accepted or not. The only place where
I can do this without any coding contortions is my shopping cart script.

Using $_SESSION from within my script now becomes a somewhat dodgy
affair. All official sources state that you cannot use $_SESSION without a
prior call to session_start(). My tests show that you can, without the
interpreter complaining about an uninitialized variable. It even becomes
out-of-the-box super-duper global (I'm referencing it from within a class
method). Again, this works without any session file to de-serialize
from.

I guess what I'm really looking for is an elegant, fully sever-side
solution to the 'no cookie, no session management' situation. Heck, I'll
even settle for a set_cookie() rewrite with a meaningful return value ;-)

Mike

f'up alt.php