lofaifa Posted October 18, 2011 Share Posted October 18, 2011 im new , and ... :'( i hate tutorials .. books .. anything that does not make u part of the deal - .. thats why i started by creating something and learning from my mistakes at the same time .. i like this way of learning .. soo , while im building and trying things out .. i started thinking how the server know the person with this link is really U ? .. when u start just linking pages to each other its just a matter of finding out what is the link to do what ever u want with the users personal pages ! .. i know my questions r stupid but i just hate to go and write lessons without any effort im confused with the concept of SESSIONS and COOKIES , r they the unswer to this security problem ? how u can work with them .. ? im not asking for codes .. just general ideas about users and how they control their profiles and stuff with full security ? ill be very thankful if i get any answer ^^ Quote Link to comment Share on other sites More sharing options...
sunfighter Posted October 19, 2011 Share Posted October 19, 2011 In a nut shell and not all that accurate. Servers and computers have IP addresses. Servers don't care who is looking at it's pages. The server gets a request for a page that tells it where to send it (IP add) and it does just that. But sometimes the server needs to know who is messing with it. ex = "you must be signed in to post". The server finds out if your signed in via cookies. When you sign in the server sets a cookie that says your signed in and it looks for that when you try to post no matter what page of the server your on. Cookies are kept on your machine and Sessions are kept on the server. Outside of that, very little difference. They are used to retain information about the user. They do not answer anything about security. Don't trust them for that or anything important. Quote Link to comment Share on other sites More sharing options...
Zane Posted October 19, 2011 Share Posted October 19, 2011 Cookies are kept on your machine and Sessions are kept on the server. Outside of that, very little difference. They are used to retain information about the user. This is really all you need to know. What you need to learn, is how to take advantage of it. They are both SUPERGLOBALS, which in essence is just another array.... that you can use everywhere! - assuming you use session_start() and all that. The question you have to ask yourself if WHAT do you want to be accessible.. and where. - the server - the client If you store it in the client superglobal $_COOKIE, then that user can simply go to his temp files or wherever and see these cookies. I also believe you can just view ALL your cookies in Firefox... If you store it on the server superglobal $_SESSION, then only your scripts can access the information. Quote Link to comment Share on other sites More sharing options...
xyph Posted October 19, 2011 Share Posted October 19, 2011 This topic can become quite complex. Sessions are a way of adding state to a system that is stateless by design. Generally, it's better to let someone experienced handle this kind of code in production environments while you dabble in your own methods for hobby/educational projects. If you want to know good practices to follow when dealing with username/password combinations, please check out the article in my signature. It goes over the theory and provides several step-by-step examples of implementing said system. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.