I'm getting to the point of my site creation where the main page will customize itself to what settings the user specifies.
I've been reading over sessions (http://www.zend.com/zend/tut/session.php) and cookies (http://www.zend.com/zend/tut/feedback.php).
It seems the sessions are nothing more than glorified cookies. Is there a defacto standard on which one to use on a fully functional site? Is there much of a difference between the two?
Difference Between Sessions and Cookies
Moderator: General Moderators
To an extent, sessions are basically cookies that reside on the server instead of the client. In this manner, it is safer to use sessions as you don't have to worry about whether the client has cookies enabled or not.
To my knowledge there is no standard as to which you use, it's more dependent upon the usage of your site.
To my knowledge there is no standard as to which you use, it's more dependent upon the usage of your site.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Cookies have a set limit to how much information can be kept in them, sessions do not. Sessions remain available as long as the user hasn't closed their browser (ignoring SessionSaver et al here.)
You need to take great care in what you put in either however unless you're on a dedicated host (or sandboxed like environment.) For different reasons however. Cookies can be manipulated by the user. If you don't validate and verify information given by the cookie you may "accidentally" give a user administrative powers if they change X to Y. On shared hosts, the session directory is often the same for all users. This also means that any information you store in the session can be read by anyone else on the server. Even changing the location of the directory sessions are saved on a shared host often isn't the best idea. Afterall, you can't have PHP be the owner and it's more difficult to deal with if the directory is your user. So in the end, on shared hosts, I recommend storing session data, sensitive or not, in a database.
You need to take great care in what you put in either however unless you're on a dedicated host (or sandboxed like environment.) For different reasons however. Cookies can be manipulated by the user. If you don't validate and verify information given by the cookie you may "accidentally" give a user administrative powers if they change X to Y. On shared hosts, the session directory is often the same for all users. This also means that any information you store in the session can be read by anyone else on the server. Even changing the location of the directory sessions are saved on a shared host often isn't the best idea. Afterall, you can't have PHP be the owner and it's more difficult to deal with if the directory is your user. So in the end, on shared hosts, I recommend storing session data, sensitive or not, in a database.
Is there a point to learning about cookies? Yes. Should you learn cookies before sessions? Doesn't matter. They effectively work the same in programming logic, the only difference being setting an expiration date to the cookie. Cookies are great for remembering settings or user-specific data multiple times even after the user leaves the site and comes back to it long after that specific session has been destroyed.