At the the moment my site uses cookies to track machines and users, my first appraoch to this didnt require cookies, instead i used a database table of users and their relative IP addresses.
However from that i learned that it is possible that more than one user can have same IP at a time if they're on a network.
So my question is, im thinking of using sessions, that dont require cookies, will this be also safe for networks, ie will it distinguish between every machine regardless of the type of network the users are on, unlike in my first scenario mentioned above?
thanks
http://alljammin.com
Cookies vs Sessions
Moderator: General Moderators
-
Cruzado_Mainfrm
- Forum Contributor
- Posts: 346
- Joined: Sun Jun 15, 2003 11:22 pm
- Location: Miami, FL
No, sessions are depending on the browsers state. A cookie is placed on the users machine. If you can retrieve your cookie, you know that the user has been there before and so on. A session ends if the user closes his browser, and is not stored anywhere.
If you are tracking users in the way of "you have been here X times before" you dont need to worry about their IP's. Is there a reason of why you need to use the IP/hosts at all?
If you are tracking users in the way of "you have been here X times before" you dont need to worry about their IP's. Is there a reason of why you need to use the IP/hosts at all?
this is just a theory... but i think you can use DB/session/cookie at the same time for more accurate info.. that is.. you can use session to generate a unique session ID and then use it instead of IP, As you said different users can have same IP if they are on network.. but each user on different system will have different session id.. this you can store in cookie for future ref. since session will expire once the brwoser is closed. thus storing that id in cookie can help you track it later.
-
Stoneguard
- Forum Contributor
- Posts: 101
- Joined: Wed Aug 13, 2003 9:02 pm
- Location: USA
I think the original question was, are non-cookie sessions safe for networks (i.e. multiple machines coming from one IP address). In terms of each machine only getting it's session information, yes this is safe.
But, I would still use the cookie based session instead of the parameter based session. Parameter based sessions are passed on the URL line and much easier to intercept. If you are using SSL, then even the session cookie gets encrypted when being sent.
With regards to how you store session information, the session_set_save_handler() will let you pretty much store it any way you like.
I personally make extensive use on a minimalist basis of session variables. That is, I use them a lot, but only when absolutely needed, and I try not to use them to store data that I can easily recalculate or will not need on the next few pages.
But, I would still use the cookie based session instead of the parameter based session. Parameter based sessions are passed on the URL line and much easier to intercept. If you are using SSL, then even the session cookie gets encrypted when being sent.
With regards to how you store session information, the session_set_save_handler() will let you pretty much store it any way you like.
I personally make extensive use on a minimalist basis of session variables. That is, I use them a lot, but only when absolutely needed, and I try not to use them to store data that I can easily recalculate or will not need on the next few pages.