Cookies vs Sessions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mzfp2
Forum Contributor
Posts: 137
Joined: Mon Nov 11, 2002 9:44 am
Location: UK
Contact:

Cookies vs Sessions

Post by mzfp2 »

At the the moment my site uses cookies to track machines and users, my first appraoch to this didnt require cookies, instead i used a database table of users and their relative IP addresses.

However from that i learned that it is possible that more than one user can have same IP at a time if they're on a network.

So my question is, im thinking of using sessions, that dont require cookies, will this be also safe for networks, ie will it distinguish between every machine regardless of the type of network the users are on, unlike in my first scenario mentioned above?

thanks

http://alljammin.com
Cruzado_Mainfrm
Forum Contributor
Posts: 346
Joined: Sun Jun 15, 2003 11:22 pm
Location: Miami, FL

Post by Cruzado_Mainfrm »

well, u can still use databases and sessions at the same time, u can store the IP adress and the Session id in the DB and save the session id in a session cookie also, so you just have to check whther the cookie is the same as the database to see if the user is only or whatever
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

No, sessions are depending on the browsers state. A cookie is placed on the users machine. If you can retrieve your cookie, you know that the user has been there before and so on. A session ends if the user closes his browser, and is not stored anywhere.

If you are tracking users in the way of "you have been here X times before" you dont need to worry about their IP's. Is there a reason of why you need to use the IP/hosts at all?
User avatar
igoy
Forum Contributor
Posts: 203
Joined: Fri May 02, 2003 11:57 pm
Location: India
Contact:

Post by igoy »

this is just a theory... but i think you can use DB/session/cookie at the same time for more accurate info.. that is.. you can use session to generate a unique session ID and then use it instead of IP, As you said different users can have same IP if they are on network.. but each user on different system will have different session id.. this you can store in cookie for future ref. since session will expire once the brwoser is closed. thus storing that id in cookie can help you track it later.
Stoneguard
Forum Contributor
Posts: 101
Joined: Wed Aug 13, 2003 9:02 pm
Location: USA

Post by Stoneguard »

I think the original question was, are non-cookie sessions safe for networks (i.e. multiple machines coming from one IP address). In terms of each machine only getting it's session information, yes this is safe.

But, I would still use the cookie based session instead of the parameter based session. Parameter based sessions are passed on the URL line and much easier to intercept. If you are using SSL, then even the session cookie gets encrypted when being sent.

With regards to how you store session information, the session_set_save_handler() will let you pretty much store it any way you like.

I personally make extensive use on a minimalist basis of session variables. That is, I use them a lot, but only when absolutely needed, and I try not to use them to store data that I can easily recalculate or will not need on the next few pages.
Post Reply