Page 1 of 1
Why sessions?
Posted: Thu Apr 16, 2009 3:36 am
by GimbaL
Hello
Can someone explain me... Exactly what is the advantage of sessions over cookies?
I understood sessions may also work if a visitor has cookies disabled. But the &sid=xxxxx on the url is an ugly workaround (doesn't that mess up SEO?) and I wonder... Is there really a significant percentage of visitors who can't use cookies??
Re: Why sessions?
Posted: Thu Apr 16, 2009 4:24 am
by papa
You don't have to use get or post as the session vars are stored from page to page. You can also use url rewrite for ugly urls.
Re: Why sessions?
Posted: Thu Apr 16, 2009 10:04 am
by pickle
Sessions are stored on the server, rather than the browser. Stuff from $_SESSION can be considered safe, as it's never directly exposed to the user. $_COOKIES have to be assumed dangerous, as the user can put whatever value they want in cookies.
Re: Why sessions?
Posted: Tue Apr 21, 2009 2:42 am
by GimbaL
papa wrote:You don't have to use get or post as the session vars are stored from page to page. You can also use url rewrite for ugly urls.
How do you mean, with mod_rewrite? Wouldn't that delete the session info?
I think I don't understand... if the session data is not stored in cookies, how can it be transferred from one page to another without adding ugly &sid=xxx parameters on the url?
pickle wrote:Sessions are stored on the server, rather than the browser. Stuff from $_SESSION can be considered safe, as it's never directly exposed to the user. $_COOKIES have to be assumed dangerous, as the user can put whatever value they want in cookies.
Is this certain? Doesn't that depend on the php / server settings? How about the cookies that get created when you start a session?
And isn't there still a risk that users could exchange eachothers session-cookies?
Re: Why sessions?
Posted: Tue Apr 21, 2009 5:36 am
by papa
http://us.php.net/manual/en/intro.session.php
Url rewrite has nothing to do with sessions. Google around and you'll find some nice reading.
