Yet another Sessions, Cookies, and Logins post
Posted: Sun Sep 14, 2008 8:12 am
Yep. One in every four posts must be about this topic in this forum, yet I still can't figure this out. I thought I had it after following the wonderful Challenge/Response Tutorial. I implemented this, and it worked very happily. Aside from OOPing it to some extent, I've written almost the exact code he has in that tutorial.
From what I understand, you authenticate the user, and if everything checks out, you set the session variable "Authenticated" to 1. Every page then, you session_start(), and check if Authenticated exists and is equal to 1. The way I understand it is that the server holds a set of session variables that are unique to every session. The server knows which session variables to get based on a value in a cookie that is automagically set by the session_start() function.
So, session variables and cookies work in tandem. Session variables stay on the server, and the server checks the cookies to know which session variables to pull up.
So, that's all well and good (if I'm right in all of the above), until I go about reading a book I bought, Advanced PHP Programming, and read about their User Authentication section. Their implementation doesn't even mention sessions. All it does is work with the cookies. It basically does a bunch of mcrypt functions, and encrypts three values to the cookie: the userID, the version, and the time. If it's more than three minutes it issues a new cookie. If any of these are incorrect, the user gets to log in again. So, it's totally cookie based.
I really hate the latter option if I have to use it. Lots of encryption overhead, the user seems to have to log in more, and I already have the former option implemented. Is my understanding of one or both of these methods flawed? If not, which is more effective? Is it simply a matter of choice?
Thank you very much, and I apologize for adding to the mess of session and cookie related questions in this forum.
From what I understand, you authenticate the user, and if everything checks out, you set the session variable "Authenticated" to 1. Every page then, you session_start(), and check if Authenticated exists and is equal to 1. The way I understand it is that the server holds a set of session variables that are unique to every session. The server knows which session variables to get based on a value in a cookie that is automagically set by the session_start() function.
So, session variables and cookies work in tandem. Session variables stay on the server, and the server checks the cookies to know which session variables to pull up.
So, that's all well and good (if I'm right in all of the above), until I go about reading a book I bought, Advanced PHP Programming, and read about their User Authentication section. Their implementation doesn't even mention sessions. All it does is work with the cookies. It basically does a bunch of mcrypt functions, and encrypts three values to the cookie: the userID, the version, and the time. If it's more than three minutes it issues a new cookie. If any of these are incorrect, the user gets to log in again. So, it's totally cookie based.
I really hate the latter option if I have to use it. Lots of encryption overhead, the user seems to have to log in more, and I already have the former option implemented. Is my understanding of one or both of these methods flawed? If not, which is more effective? Is it simply a matter of choice?
Thank you very much, and I apologize for adding to the mess of session and cookie related questions in this forum.