What is the proper way to handle logins?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Stacks
Forum Newbie
Posts: 24
Joined: Thu Jun 05, 2008 7:52 pm

What is the proper way to handle logins?

Post by Stacks »

I'm doing my first web app from scratch and it's time for me to create the log-in. My app will need to allow users to log-in to edit their profile. In the future I will be adding e-commerce for upgraded accounts.

I know the two ways to tackle this problem are through cookies or sessions. I know a lot of sites use log-in cookies. However some sites do use sessions.

Does anyone have any insight on which is the "proper" way to handle log-ins, and why one way is better than the other.

So far I understand cookies are low impact on the server, while the sessions need more server resources.
André D
Forum Commoner
Posts: 55
Joined: Thu Aug 28, 2008 7:03 pm

Re: What is the proper way to handle logins?

Post by André D »

Cookies and sessions are not competing strategies. Cookies are used to facilitate sessions, because the session identifier is usually saved in a cookie.

There are all kinds of tutorials out there for PHP login mechanisms, but I suggest you start by reading what the PHP manual says about sessions. Also, don't rule out HTTP authentication.
watson516
Forum Contributor
Posts: 198
Joined: Mon Mar 20, 2006 9:19 pm
Location: Hamilton, Ontario

Re: What is the proper way to handle logins?

Post by watson516 »

Just use sessions. You don't have to worry about people editing sessions unlike cookies.
Stacks
Forum Newbie
Posts: 24
Joined: Thu Jun 05, 2008 7:52 pm

Re: What is the proper way to handle logins?

Post by Stacks »

I have read the php sessions page already, and just checked out the HTTP Authentication.

I'm leaning towards using sessions and cookies together.

Are there any big cons, or obvious security flaws to this setup that I should be aware of?

Is this the proper way to handle log-ins in 2009?
Post Reply