Cookies or Session

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
mixa2000
Forum Newbie
Posts: 18
Joined: Fri Jun 22, 2012 4:50 pm

Cookies or Session

Post by mixa2000 »

What is your opinion on what to use better based on login for a personal web-site (for relatives, friends, acquaintances, etc.) ?
And why would you recommend me that, reasoning why its better to use, cookies, or session.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Cookies or Session

Post by requinix »

Depends what you want to put in them. Cookies are insecure, sessions require cookies.
User avatar
mixa2000
Forum Newbie
Posts: 18
Joined: Fri Jun 22, 2012 4:50 pm

Re: Cookies or Session

Post by mixa2000 »

I want to put login information there, for example; authorization, their username, etc.
And thanks for replying, but I have a question to this answer,
what do you mean, "sessions require cookies"?
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Cookies or Session

Post by requinix »

Cookies should only be for non-secret information. Usernames are okay. Passwords are not. Everything in a cookie can be edited by a user.
Sessions cannot be edited by the user and are for almost everything else that cannot be put in cookies.

Let's continue the answer/question fun. How do you think PHP knows which user has which session?
User avatar
mixa2000
Forum Newbie
Posts: 18
Joined: Fri Jun 22, 2012 4:50 pm

Re: Cookies or Session

Post by mixa2000 »

"How do you think PHP knows which user has which session? "-
Well I guess because we register the session to some specific
user and password, the server knows which one is which.
-------------------------------------------------------------------------
Another question about the sessions is, how to make the
session be for the whole website until I logout (session_destroy).
For example; when I login on my website in the login page, I
have a session id, which can be seen in the address bar. When
I go to another page on my website, the session id already
disappeared.
----------------------------------------------------------------------------
"Cookies should only be for non-secret information.
Usernames are okay. Passwords are not." -
First of, can't you hash the password like with MD5 or something,
and by the way, doesn't the majority of sites like facebook, gmail,
ymail, etc, require cookies to login, register, etc. And one more,
when you logout, doesn't it sort of kills (deletes) the cookie?

Any help is appreciated :)
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Cookies or Session

Post by requinix »

mixa2000 wrote:"How do you think PHP knows which user has which session? "-
Well I guess because we register the session to some specific
user and password, the server knows which one is which.
But then on the next page load the username/password isn't being submitted in a form. Of all the users connecting to the server at that moment, how does PHP know which user submitted which information on some page in the past?

Sessions use a random identifier (session ID) in a cookie. The user sends that cookie and PHP looks up the session according to it. Without cookies you have to put the identifier in the URL (which is what phpdn does).
mixa2000 wrote:Another question about the sessions is, how to make the
session be for the whole website until I logout (session_destroy).
For example; when I login on my website in the login page, I
have a session id, which can be seen in the address bar. When
I go to another page on my website, the session id already
disappeared.
The ID is disappearing. Either put it in a cookie or look for why it's not staying in the URL.
mixa2000 wrote:"Cookies should only be for non-secret information.
Usernames are okay. Passwords are not." -
First of, can't you hash the password like with MD5 or something,
and by the way, doesn't the majority of sites like facebook, gmail,
ymail, etc, require cookies to login, register, etc. And one more,
when you logout, doesn't it sort of kills (deletes) the cookie?
But you're still sending the password. There's a better way: use a value based on something random that isn't the password and store that in the database. When automatically logging in you check the username and the random string. Then regenerate it for next time. For someone to fake their way in they have to know a piece of information that only you know - not even the user knows it.

Logging out might destroy the cookie. It depends on how you define "log out".
User avatar
mixa2000
Forum Newbie
Posts: 18
Joined: Fri Jun 22, 2012 4:50 pm

Re: Cookies or Session

Post by mixa2000 »

Thanks for the help, you clarified this very good. :)
-------------------------------------------------------------
You are right, I didn't use cookies to store the
session id, so of course it wouldn't last me
throughout the whole website, now I get it.
-------------------------------------------------------------
But how you put the session in a cookie?
Do you just set the cookie with the,
setcookie();? Can you give me an example please?
-------------------------------------------------------------
I am really thankful for your help, you really helped
me out, I never could've fully understand why my
sessions didn't work, now I get it. :)
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Cookies or Session

Post by requinix »

By default the session ID will go in a cookie. You had to explicitly configure PHP to not do that, like in the php.ini. Undo that.
User avatar
mixa2000
Forum Newbie
Posts: 18
Joined: Fri Jun 22, 2012 4:50 pm

Re: Cookies or Session

Post by mixa2000 »

Okay thank you for your explanation and clarification on this PHP topic. :)
Post Reply