Programming Forums

Programming Forums (http://www.programmingforums.org/forumindex.php)
-   PHP (http://www.programmingforums.org/forum29.html)
-   -   Cookies or Sessions? (http://www.programmingforums.org/showthread.php?t=13513)

Satans_Banjo Jul 8th, 2007 6:47 PM
Cookies or Sessions?
 
Hi

I'm making a website which involves a user logging in and then staying logged in the whole time. There will be a user control panel which displays all of the user's vital statistics and their username will be displayed in the corner of every page while they're logged on. I was wondering what would be the best way to implement this: cookies or sessions? And are there any tutorials you would recommend for this kind of thing?

Thanks, and sorry I've filled the entire PHP forum

Banjo

Dameon Jul 8th, 2007 11:12 PM
Cookies and sessions aren't entirely distinct. A cookie is stored on the client and returned to the server with every request. That's how an individual user can be recognized among the hundreds of requests that can be occurring at the same time. But they're only on the client. You have to trust what they give you. They can decide what data they send you; users may not accept cookies at all, or could just as well send bogus ones.

Good Idea:
Store their preference for text size or page theme.

Bad Idea:
Store which user they are logged in as (and trust this information)

PHP sessions store data on the server. You can set session variables which will retain their values across requests from the same client. To do this, cookies are usually used -- using the unique cookie value, the server can look up the existing session data and load it for the script to use. The user can report whatever session ID that they want. But sessions expire, and the chance of guessing one is highly unlikely. The real danger is someone sniffing or otherwise obtaining the session ID (hijacking it). This threat can be somewhat mitigated by using SSL (https).

Sessions are a much better choice for storing login info. Just be warned that sessions are designed to expire, so long term ("remember me") login will likely need to be a separate addition. The best reference is the official page, though a tutorial may help you wrap your head around it.

Satans_Banjo Jul 9th, 2007 5:25 AM
Thanks. So sessions would be good for day-to-day use, but I should use cookies to create a 'remember me' checkbox?


All times are GMT -5. The time now is 3:01 PM.

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC