Some questions about Sessions / Cookies
Posted: Sun Jul 10, 2011 12:32 pm
Hi, I'm still a beginner with PHP but just have a few questions on sessions and cookies which I hope someone can help out with.
As I understand it, a random session id is stored locally as a cookie (PHPSESSID), which links up to the user's session data stored on the server.
I am designing a website which currently stores a user's unique ID in a session variable. Other user data is generated on each page from this user ID. Am I right in thinking that this is secure, since the sensitive data (the user ID) is being stored on the server, and the ony way someone else could access it is by cloning the PHPSESSID cookie?
Is it likely/possible that two identical PHP session IDs could be created, and if so is it possible to manually set the session ID (so that I can ensure its uniqueness)?
I wish to implement a 'Remember Me' feature. I know I need to set a cookie, but what should it contain? If it contained the username, that would surely be insecure since someone could just create a cookie with a known username to log in as that person. Should I be setting the PHP session ID cookie to expire in a year instead?
Thanks in advance.
As I understand it, a random session id is stored locally as a cookie (PHPSESSID), which links up to the user's session data stored on the server.
I am designing a website which currently stores a user's unique ID in a session variable. Other user data is generated on each page from this user ID. Am I right in thinking that this is secure, since the sensitive data (the user ID) is being stored on the server, and the ony way someone else could access it is by cloning the PHPSESSID cookie?
Is it likely/possible that two identical PHP session IDs could be created, and if so is it possible to manually set the session ID (so that I can ensure its uniqueness)?
I wish to implement a 'Remember Me' feature. I know I need to set a cookie, but what should it contain? If it contained the username, that would surely be insecure since someone could just create a cookie with a known username to log in as that person. Should I be setting the PHP session ID cookie to expire in a year instead?
Thanks in advance.