Page 1 of 1

What is the proper way to handle logins?

Posted: Fri Feb 13, 2009 2:42 pm
by Stacks
I'm doing my first web app from scratch and it's time for me to create the log-in. My app will need to allow users to log-in to edit their profile. In the future I will be adding e-commerce for upgraded accounts.

I know the two ways to tackle this problem are through cookies or sessions. I know a lot of sites use log-in cookies. However some sites do use sessions.

Does anyone have any insight on which is the "proper" way to handle log-ins, and why one way is better than the other.

So far I understand cookies are low impact on the server, while the sessions need more server resources.

Re: What is the proper way to handle logins?

Posted: Fri Feb 13, 2009 4:01 pm
by André D
Cookies and sessions are not competing strategies. Cookies are used to facilitate sessions, because the session identifier is usually saved in a cookie.

There are all kinds of tutorials out there for PHP login mechanisms, but I suggest you start by reading what the PHP manual says about sessions. Also, don't rule out HTTP authentication.

Re: What is the proper way to handle logins?

Posted: Fri Feb 13, 2009 5:40 pm
by watson516
Just use sessions. You don't have to worry about people editing sessions unlike cookies.

Re: What is the proper way to handle logins?

Posted: Tue Feb 17, 2009 3:00 pm
by Stacks
I have read the php sessions page already, and just checked out the HTTP Authentication.

I'm leaning towards using sessions and cookies together.

Are there any big cons, or obvious security flaws to this setup that I should be aware of?

Is this the proper way to handle log-ins in 2009?