Page 1 of 1

Cookies vs Sessions

Posted: Sat Sep 27, 2003 6:21 am
by mzfp2
At the the moment my site uses cookies to track machines and users, my first appraoch to this didnt require cookies, instead i used a database table of users and their relative IP addresses.

However from that i learned that it is possible that more than one user can have same IP at a time if they're on a network.

So my question is, im thinking of using sessions, that dont require cookies, will this be also safe for networks, ie will it distinguish between every machine regardless of the type of network the users are on, unlike in my first scenario mentioned above?

thanks

http://alljammin.com

Posted: Sat Sep 27, 2003 7:05 am
by Cruzado_Mainfrm
well, u can still use databases and sessions at the same time, u can store the IP adress and the Session id in the DB and save the session id in a session cookie also, so you just have to check whther the cookie is the same as the database to see if the user is only or whatever

Posted: Sat Sep 27, 2003 7:08 am
by JAM
No, sessions are depending on the browsers state. A cookie is placed on the users machine. If you can retrieve your cookie, you know that the user has been there before and so on. A session ends if the user closes his browser, and is not stored anywhere.

If you are tracking users in the way of "you have been here X times before" you dont need to worry about their IP's. Is there a reason of why you need to use the IP/hosts at all?

Posted: Sat Sep 27, 2003 9:42 am
by igoy
this is just a theory... but i think you can use DB/session/cookie at the same time for more accurate info.. that is.. you can use session to generate a unique session ID and then use it instead of IP, As you said different users can have same IP if they are on network.. but each user on different system will have different session id.. this you can store in cookie for future ref. since session will expire once the brwoser is closed. thus storing that id in cookie can help you track it later.

Posted: Sat Sep 27, 2003 1:05 pm
by Stoneguard
I think the original question was, are non-cookie sessions safe for networks (i.e. multiple machines coming from one IP address). In terms of each machine only getting it's session information, yes this is safe.

But, I would still use the cookie based session instead of the parameter based session. Parameter based sessions are passed on the URL line and much easier to intercept. If you are using SSL, then even the session cookie gets encrypted when being sent.

With regards to how you store session information, the session_set_save_handler() will let you pretty much store it any way you like.

I personally make extensive use on a minimalist basis of session variables. That is, I use them a lot, but only when absolutely needed, and I try not to use them to store data that I can easily recalculate or will not need on the next few pages.