Jump to content

cookies and session question


alejandro52

Recommended Posts

What is the best practice to use cookies and sessions? Should i create a cookie and keep inside the cookie the name of the username the user has logged in or a session? How am i supposed to compine theese two? Is there any example or a tutorial on this? For example how does php freaks sessions and cookies work.

Link to comment
Share on other sites

I use cookies to set variable (i.e. affiliate tracking ID's) and sessions to move that affiliate ID (which is sent to the site via GET function <URL>).

 

So in short, the cookie is used when you want to try and hold information for a user who may return to the site.

A session is used to handle that current visitor's interaction with the site (passing the captured info from page to page).

 

Here are good links to understand both:

http://www.w3schools.com/PHP/php_cookies.asp

http://www.w3schools.com/PHP/php_sessions.asp

 

Link to comment
Share on other sites

First of all cookies should never be used to store important/private data, nor be trusted. A user can easily modify a cookie to anything they want. If you store usernames in them, all the user would have to do is modify their cookie and they can be any user they wish. Really the only time you should use cookies is to store non-private/insecure data, like for example page references, 'remember' tokens that are validated server-side, session IDs, etc.

 

PHP sessions on the other hand are stored on the server and cannot be manipulated by the user. A session ID is automatically generated and stored within the user's cookies to link the user to the session. This isn't "trusted" however - additional checks are done to verify the user hasn't just stolen somebody else's session ID. You can store private data (to a degree) in these relatively securely. Of course if there's a major security hole in your system then the data may be compromised.

Link to comment
Share on other sites

First of all cookies should never be used to store important/private data, nor be trusted. A user can easily modify a cookie to anything they want. If you store usernames in them, all the user would have to do is modify their cookie and they can be any user they wish. Really the only time you should use cookies is to store non-private/insecure data, like for example page references, 'remember' tokens that are validated server-side, session IDs, etc.

 

PHP sessions on the other hand are stored on the server and cannot be manipulated by the user. A session ID is automatically generated and stored within the user's cookies to link the user to the session. This isn't "trusted" however - additional checks are done to verify the user hasn't just stolen somebody else's session ID. You can store private data (to a degree) in these relatively securely. Of course if there's a major security hole in your system then the data may be compromised.

 

Thanks for the reply, you got me kind of covered. But if i use session, when the browses closes so does the session. How am i supposed to restore the session when the user reopens the browser. If i store the session id inside a cookie whould that be ok(is it true that firefox does that automaticaly unlike iexplorer)? And how am i supposed to prevent another user from stealing the session id.

Link to comment
Share on other sites

The key is not storing priv-type info as cookie (i.e. username, password, etc...)

I suggest setting a numerical id or some sorts as the cookie and using that cookie to retrieved stored session info.

 

Note: as long as the user doesn't clear the cookie, then you can re-establish their previous connection to which the cookie will send that id value back to authenticate that user. Again, don't use cookie to handle login processes, etc... but as a basis to alert the script of previous user's interaction with the site. You can hold the more sensitive data in sessions to which can be re-established if custom coded to hold the info for longer durations.

 

There are custom configurations you can make to allow sessions to hold longer but could create overhead on the server (long term). Just go to www.php.net

 

 

Link to comment
Share on other sites

If i store the session id inside a cookie whould that be ok(is it true that firefox does that automaticaly unlike iexplorer)?

 

I'm not sure what you mean by Firefox doing it automatically. The PHP configuration primarily controls how the session ID is stored. It's using a cookie by default, but you can change the setting to have the session id automatically appended to every link instead.

 

And how am i supposed to prevent another user from stealing the session id.

 

If you use standard PHP sessions, you don't need to worry about session hi-jacking. PHP prevents that. If you create your own custom sessions, then as mentioned before, not just relying on the cookie to be correct and validating the user is who they say they are.

Link to comment
Share on other sites

So step by step what i'm going to do: user types in username and password. with the php post method i check if they are correct. If they are i set the user id and username in the session. I also set the users ip inside a cookie. Now when the user closes the browser the session is destroyed. When the user reopens the browser and comes back to the web page i check to see if the user ip is the same as the user that came back. If it is i set once again in the session the usename and user_id. Is that correct? BTW how come php remebers my username even if my ip has changed?

Link to comment
Share on other sites

No, not quite. Are you implementing your own custom sessions here? If not and you're just using standard PHP sessions you don't need to worry about any of this. Just call session_start and PHP will handle the rest - remember to call session_start() on any page you need sessions though.

Link to comment
Share on other sites

No, not quite. Are you implementing your own custom sessions here? If not and you're just using standard PHP sessions you don't need to worry about any of this. Just call session_start and PHP will handle the rest - remember to call session_start() on any page you need sessions though.

Yes, i know how to use session start and i know how to use just sessions without cookies. My main problem is how am i goiing to restore the session when the user comes back to my web page. Should i store the session name in a cookie and also in a table in my database and check if they match? or should i check if the users ip is the same with that on the cookie?What is the best practice when you want to restore a session after the browser is closed and reopoened?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.