Session to all and to all a good night

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Session to all and to all a good night

Post by JPlush76 »

I'm setting up the customer signup portion of my new ecommerce site now and I had a couple quick questions on how to properly use sessions.

Instead of having them create a user id I'm using their email address as the unique key.

1. when they register I'm going to register the session variable EMAIL and when I do my quries for their account and such I'll use the email address in my sql string.

2. should I do session_register(VAR) or $_SESSION[var] ?

3. now how about people that don't accept cookies? should I code for them as well? what percentage of people really have their cookies set to off and do they even buy things?

I know how to set up sessions and do all that fun stuff, but I just have some "how to use them best for security and function" type questions.

thanks all!
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

1. I prefer using $_SESSION['var'], it's much more intuitive, easier to use and understand, and works just like a normal variable.

2. I follow this rule: If a person doesn't trust you with a cookie, they aren't going to trust you with a credit card number. Anyone smart enough to know how to enable/disable cookies are smart enough to know if you want to buy something, allowing cookies is practically a must. At the same time, most people who do not accept cookies will make exceptions for session cookies, like when you log in or something, so it's not really a problem.
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

thanks Jason, I'll use the _SESSION vars

what do you think about using the email address as the key for user queries?

I'll just keep that email variable throughout the entire session and use it to let the user access the account and display data based on the user.

Any security risks in doing it that way? Or should I register the unique auto increment ID field instead?
User avatar
mr_griff
Forum Commoner
Posts: 64
Joined: Tue Sep 17, 2002 11:11 am
Location: Bozeman, Montana

Post by mr_griff »

JPlush76,

I am currently doing pretty much the same thing as you, using the customers email address as their username, but I also generate a numeric customer id as well. That way I can match up customers to past orders even if they change their e-mail address without having to update the past orders. When they lookup an old order, the invoice has the email listed that they had at the time the order was placed. I just use the numeric customer id in the session.
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

ahhh! good point Griff, I forgot all about that.

I'll use the user_id as the query field then, thanks :)
Post Reply