Page 1 of 1

Session to all and to all a good night

Posted: Mon Sep 16, 2002 4:26 pm
by JPlush76
I'm setting up the customer signup portion of my new ecommerce site now and I had a couple quick questions on how to properly use sessions.

Instead of having them create a user id I'm using their email address as the unique key.

1. when they register I'm going to register the session variable EMAIL and when I do my quries for their account and such I'll use the email address in my sql string.

2. should I do session_register(VAR) or $_SESSION[var] ?

3. now how about people that don't accept cookies? should I code for them as well? what percentage of people really have their cookies set to off and do they even buy things?

I know how to set up sessions and do all that fun stuff, but I just have some "how to use them best for security and function" type questions.

thanks all!

Posted: Mon Sep 16, 2002 4:39 pm
by jason
1. I prefer using $_SESSION['var'], it's much more intuitive, easier to use and understand, and works just like a normal variable.

2. I follow this rule: If a person doesn't trust you with a cookie, they aren't going to trust you with a credit card number. Anyone smart enough to know how to enable/disable cookies are smart enough to know if you want to buy something, allowing cookies is practically a must. At the same time, most people who do not accept cookies will make exceptions for session cookies, like when you log in or something, so it's not really a problem.

Posted: Mon Sep 16, 2002 4:51 pm
by JPlush76
thanks Jason, I'll use the _SESSION vars

what do you think about using the email address as the key for user queries?

I'll just keep that email variable throughout the entire session and use it to let the user access the account and display data based on the user.

Any security risks in doing it that way? Or should I register the unique auto increment ID field instead?

Posted: Tue Sep 17, 2002 11:38 am
by mr_griff
JPlush76,

I am currently doing pretty much the same thing as you, using the customers email address as their username, but I also generate a numeric customer id as well. That way I can match up customers to past orders even if they change their e-mail address without having to update the past orders. When they lookup an old order, the invoice has the email listed that they had at the time the order was placed. I just use the numeric customer id in the session.

Posted: Tue Sep 17, 2002 11:41 am
by JPlush76
ahhh! good point Griff, I forgot all about that.

I'll use the user_id as the query field then, thanks :)