Cookie vs. Session

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jiehuang001
Forum Commoner
Posts: 39
Joined: Mon May 12, 2003 12:53 pm

Cookie vs. Session

Post by jiehuang001 »

I have heard a lot about cookie, but never used it in my code. I think I don't like the idea of saving stuff into client's machine that much. Here are some questions:

1. if your code uses cookie but the user's browser disabled cookie, will there be any problem?

2. Can session do everything that cookie can? Is session a better way than cookie and is replacing the idea of cookie?

3. I have used the following session code:
//if the user provides right username, password
session_start();
session_register('username');
then in the following pages, I can use "$_SESSION['username']" to get the username value.
However, my question is, if there are hundreds of users logged into my website at the same time, will the "$_SESSION['username']" be able to identify who is who?

Your clarification is bestly appreciated.

Jie Huang
User avatar
detrox
Forum Newbie
Posts: 21
Joined: Wed Jun 04, 2003 1:27 am
Location: P.R.China

Post by detrox »

I think if one is better than the other one must be disapeared now. You can use your javascript to detect a client's cookie-support. Mostly, If the user logout your site the session will be deleted but not cookie(If you give it a more long life).
uncoDMX
Forum Newbie
Posts: 7
Joined: Thu Jun 05, 2003 5:49 am
Location: Romania
Contact:

Post by uncoDMX »

hmmm ...

To be honest i don't like cookies that much :P. I like using sessions more.

First thing that i like about sessions is that you can set values afther the
header has been sent to the browser but that's not much if you're a good programer and separate your scripts in two parts (one that makes the calculations where you ,if you want, set values for cookies and the part where you send the output to the broswer).

The thing with cookies is that if the browser doesn't support them ot they're disabled you cant't set them and retrive their data.

Sessions use cookies to store the session id but if cookies are disabled the session id will be added to evry link that points inside your site and will be visible.
Evry user gets his own session id but if somebody else knows a annother user's session id he can make use of that user's session data.

I find using sessions a more conveninet way to keep data in it as you can add to a session any type of data that can be added to an array.

Maybe this will help you decide.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

uncoDMX wrote:Evry user gets his own session id but if somebody else knows a annother user's session id he can make use of that user's session data.
That's the reason I recommend using cookies. This isn't that big of an issue when it involves things like shopping carts, and things along thoses lines but when it involves saved user information or a member area, cookies are the way to go.

If they have any login/cookie problems, a page can be created with instructions on how to solve it. eg. Enable them, get a new browser, turn browser security on low, etc.
User avatar
delorian
Forum Contributor
Posts: 223
Joined: Sun May 04, 2003 5:20 pm
Location: Olsztyn, Poland

Post by delorian »

Sami wrote:That's the reason I recommend using cookies. This isn't that big of an issue when it involves things like shopping carts, and things along thoses lines but when it involves saved user information or a member area, cookies are the way to go.
But cookies, are easy to be retrieved by the hackers. Session number also but it is a bit harder. As for me, I'm using both. When I wan't to save session data for longer I use cookie and session_encode(). If there's something simple I use session only. To use it more securely I also check user IP combined with session id on every page. So even if someone steals the sess id he will got an error and I will be informed about that.

To answer the topic question, I think cookies and session both have some prons and cons, and you cannot tell which one's better. It's only by the chose of the programmer.


BTW: If something would be better, the other thing wouldn't be at all, right :?:
Post Reply