Page 1 of 1

Cookies or Session

Posted: Fri Jun 22, 2012 5:30 pm
by mixa2000
What is your opinion on what to use better based on login for a personal web-site (for relatives, friends, acquaintances, etc.) ?
And why would you recommend me that, reasoning why its better to use, cookies, or session.

Re: Cookies or Session

Posted: Fri Jun 22, 2012 8:58 pm
by requinix
Depends what you want to put in them. Cookies are insecure, sessions require cookies.

Re: Cookies or Session

Posted: Fri Jun 22, 2012 9:26 pm
by mixa2000
I want to put login information there, for example; authorization, their username, etc.
And thanks for replying, but I have a question to this answer,
what do you mean, "sessions require cookies"?

Re: Cookies or Session

Posted: Sat Jun 23, 2012 1:14 am
by requinix
Cookies should only be for non-secret information. Usernames are okay. Passwords are not. Everything in a cookie can be edited by a user.
Sessions cannot be edited by the user and are for almost everything else that cannot be put in cookies.

Let's continue the answer/question fun. How do you think PHP knows which user has which session?

Re: Cookies or Session

Posted: Sat Jun 23, 2012 4:25 pm
by mixa2000
"How do you think PHP knows which user has which session? "-
Well I guess because we register the session to some specific
user and password, the server knows which one is which.
-------------------------------------------------------------------------
Another question about the sessions is, how to make the
session be for the whole website until I logout (session_destroy).
For example; when I login on my website in the login page, I
have a session id, which can be seen in the address bar. When
I go to another page on my website, the session id already
disappeared.
----------------------------------------------------------------------------
"Cookies should only be for non-secret information.
Usernames are okay. Passwords are not." -
First of, can't you hash the password like with MD5 or something,
and by the way, doesn't the majority of sites like facebook, gmail,
ymail, etc, require cookies to login, register, etc. And one more,
when you logout, doesn't it sort of kills (deletes) the cookie?

Any help is appreciated :)

Re: Cookies or Session

Posted: Sat Jun 23, 2012 5:17 pm
by requinix
mixa2000 wrote:"How do you think PHP knows which user has which session? "-
Well I guess because we register the session to some specific
user and password, the server knows which one is which.
But then on the next page load the username/password isn't being submitted in a form. Of all the users connecting to the server at that moment, how does PHP know which user submitted which information on some page in the past?

Sessions use a random identifier (session ID) in a cookie. The user sends that cookie and PHP looks up the session according to it. Without cookies you have to put the identifier in the URL (which is what phpdn does).
mixa2000 wrote:Another question about the sessions is, how to make the
session be for the whole website until I logout (session_destroy).
For example; when I login on my website in the login page, I
have a session id, which can be seen in the address bar. When
I go to another page on my website, the session id already
disappeared.
The ID is disappearing. Either put it in a cookie or look for why it's not staying in the URL.
mixa2000 wrote:"Cookies should only be for non-secret information.
Usernames are okay. Passwords are not." -
First of, can't you hash the password like with MD5 or something,
and by the way, doesn't the majority of sites like facebook, gmail,
ymail, etc, require cookies to login, register, etc. And one more,
when you logout, doesn't it sort of kills (deletes) the cookie?
But you're still sending the password. There's a better way: use a value based on something random that isn't the password and store that in the database. When automatically logging in you check the username and the random string. Then regenerate it for next time. For someone to fake their way in they have to know a piece of information that only you know - not even the user knows it.

Logging out might destroy the cookie. It depends on how you define "log out".

Re: Cookies or Session

Posted: Sat Jun 23, 2012 5:58 pm
by mixa2000
Thanks for the help, you clarified this very good. :)
-------------------------------------------------------------
You are right, I didn't use cookies to store the
session id, so of course it wouldn't last me
throughout the whole website, now I get it.
-------------------------------------------------------------
But how you put the session in a cookie?
Do you just set the cookie with the,
setcookie();? Can you give me an example please?
-------------------------------------------------------------
I am really thankful for your help, you really helped
me out, I never could've fully understand why my
sessions didn't work, now I get it. :)

Re: Cookies or Session

Posted: Sat Jun 23, 2012 7:33 pm
by requinix
By default the session ID will go in a cookie. You had to explicitly configure PHP to not do that, like in the php.ini. Undo that.

Re: Cookies or Session

Posted: Sun Jun 24, 2012 3:18 am
by mixa2000
Okay thank you for your explanation and clarification on this PHP topic. :)