php dinamic website > session vs cookie

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
bogdan
Forum Commoner
Posts: 27
Joined: Wed May 31, 2006 10:07 am
Location: Timisoara, Ro

php dinamic website > session vs cookie

Post by bogdan »

As in the before posts: newbie says hello.

Regarding a login / logout.

What is best to use: session or cookie. Perhaps a little explanation about them.... (sorry it is rather late and I've been working for more than 12 hours now, with some breaks of course)

I am thinking that session is serverside, while cookie is clientside. The cookie part means that the user must have cookies enabled.... what if the user does not have cookies enabled ?

Just occured to me: do you use both? session and cookie ? Any downfalls and benefits to 1, the other, both ?

Regards, B
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

sessions are much more secure as the user has no access to the data stored in a session (cookie is just plain text). Be that as it may, it's still a VERY bad idea to carry personal information in an $_SESSION superglobal (it's fatal to carry it in a $_COOKIE autoglobal). I use cookies and sessions together like this: when a user logs in, he has the option for the site to remeber him. Should that option be checked, I store a cookie in his computer with his session_id, and I store that same session_id in a database. Each time a user hits my homapge, I run a cookie check (check if he has a cookie set from my domain, if he does, check to make sure that the session_id matches the one in the database), and if the check passes, I start a session with all the information I need about the user (user_id, username, etc.). I would never carry any user information (other than some very obscure id) in a cookie.

Good luck.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

php sessions automatically attempt to use a cookie to store a unique session id on a client's machine. If cookies are disabled, the session id is appended to every url within the site.

All session information (onless otherwise specified) is stored in a directory above your root directory (which you may specify in the ini file). When session information is requested, php checkes whether the user has a cookie with the correct session id, if not it checks the url. If it finds a correct id in either, it retrieves the requested variable from the file stored above the root, and returns it. make sense?
bogdan
Forum Commoner
Posts: 27
Joined: Wed May 31, 2006 10:07 am
Location: Timisoara, Ro

Post by bogdan »

Morning, :)
As I'm fresh unlike last night, yeah I think I get it.

Thanks a lot both for the reply(s).

Regards, B
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

Another thing to bear in mind is that cookies have limitations as to how many you can have so it is always a good idea to keep it as clean/small as possible. Normally I only use the cookie to store the session id. Then the user_id is stored in the session if the user logs in as this is the information that is normally used in any select statement applicable for that user.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

1) moved to PHP Code.
2) Search the forums before you post - this topic has been covered numerous times in the past
Post Reply