Page 1 of 1

Differeneces between session and cookie

Posted: Thu Nov 04, 2004 11:47 am
by Burrito
hello all, this may be a stupid question, but I'm curious as to the differences/advantages/disadvantages to using session vars instead of cookies?

I currently build all of my php sites that require logins etc to use cookies and I'm wondering if I should be using some kind of session vars instead.

for example, I create a file called app.php and in that file I have something like this:

Code: Select all

<?php
if(!isset($_COOKIE["loggedin"])){
	$location = "http://".$_SERVER["SERVER_NAME"].$_SERVER["PHP_SELF"].(isset($_SERVER['QUERY_STRING']) ? '?' . $_SERVER['QUERY_STRING'] : '');
	
?>
<script>
location = "http://www.myserver.com/login/login.php?message=notloggedin&ol=<?=urlencode($location);?>";
</script>
I include that file on all pages that I want to be part of my "application" so that if a user tries to hit that page and they're not "logged in" it redirects them to a log in page where I check their credentials..if the credentials pass, I set the cookie for them.

Should I be doing this same thing in some form of session format? If so, could someone please advise as to how sessions work exactly?

thx,

Burrito

Posted: Thu Nov 04, 2004 12:36 pm
by rehfeld
http://php.net/manual/en/ref.session.php

sessions have numerous advantages, but you will still need to set cookies for somethings.

for example, sessions default to a lifetime of 180min(you can change it to any value), so after that time is up, the info in the $_SESSION array wont be avail anymore. but if you want to have a "remember me" button for login or something, you prob want it to last for weeeks. in that case, set a cookie.


you need to call session_start(); on any page you want to add or retrieve info from thier session

session_start(); will send a cookie to the user if the browser did not send one to the server containing a PHPSESSID along w/ the request. so you dont need to worry about checking or anything, php handles it automatically for you.

also, w/ sessions, you dont store any info in the cookie, and as such, makes the cookie small, and only need one. plus since their is no info in the cookie, they cant modify it. if they modify the session_id, then they lose the entire session(which is good)


think of it as sending a cookie w/ a unique identifier, and then it allows you to store info in a database, but only for that user. php automatically loads all the info from the database for the identifier it receives, and stores in in the $_SESSION array., so its easy for you to use

this is how easy sessions make it

Code: Select all

session_start(); // this sends a cookie w/ a session id number

if (isSet($_POST['name'])) {
    $_SESSION['name'] = $_POST['name'];
}

$_SESSION['visited_page1'] = true; // this is how you store info into the session, very simple




// now you have thier name available on any page

echo $_SESSION['name'];

page 2

Code: Select all

session_start();

echo 'your name is ' . $_SESSION['name'];

if (isSet($_SESSION['visited_page1'])) {
    echo 'you have visted page 1!';
}

Posted: Thu Nov 04, 2004 12:44 pm
by rehfeld
oh and also, you can see the problem w/ using your cookie named
'loggedin'

i could easily put my own cookie into my browser called loggedin, then view your site and now i have access :)
however, if using sessions, the only thing in the cookie i have is

PHPSESSID=ds564f3sf45sadf5sad45fas5df

and no info is stored in it, the info is on your server where it safe

then you just

if (empty($_SESSION['loggedin'])) {
// redirect
}

Posted: Thu Nov 04, 2004 12:45 pm
by Burrito
Thank you for the considered response. What is the minimum version of php that I need to have in order to use sessions?

I definitely think this is something that I'm going to pursue further based on your response but I'd like to make sure that I have a current enough version before I spend too much time on it.

thanks again,

Burrito

Posted: Thu Nov 04, 2004 12:48 pm
by Burrito
rehfeld wrote:oh and also, you can see the problem w/ using your cookie named
'loggedin'

i could easily put my own cookie into my browser called loggedin, then view your site and now i have access :)
however, if using sessions, the only thing in the cookie i have is
But as you said above, if I want a "remember me" option I will need to set a cookie no? In that case, how can I get around ppl just creating cookies and having access to my site?


Burr

Posted: Thu Nov 04, 2004 12:57 pm
by rehfeld
php4 and up, the link i provided has all that info



you need to set the cookie w/ thier username(and maybe password depending on how much you want it to "remember", not if they are logged in or not

Code: Select all

if (isSet($_COOKIE['username']) && isSet($_COOKIE['password'])) {
    if (username is valid && password is valid) { // do your checking here
        $_SESSION['loggedin'] = true;
    }
}

you can do that in more secure ways, like using md5 on their password before sending the cookie to them, but you need to get started first

Posted: Thu Nov 04, 2004 2:04 pm
by Burrito
Again rehfeld, thank you for the considered responses.

Burr