Necessity of cookies and session_start()

[Cupidvogel]

Hi, I was just wondering about the necessity of using cookies and session_start() to preserve state and provide personalization. Why can't it be done this way: The user logs in, the script adds the IP address of the client, together with his account info (say user id), and browser name, to a MySQL table, and configures the table (by setting a MySQL event) to delete that row after, say, 30 days (if not the user logs out in between, in which case the row is explicitly deleted). Now each time a page request comes from that client through that browser(as verified by grabbing the IP address and browser info), a check in the session table is done to see whether that IP address is in that table. If yes, it means that a user is logged in, and after grabbing the user id (necessary, because many users can log in from the same IP, whether from one or more than one browser), an accordingly personalized page is sent to the client. If no, then it sends just a normal page. Is it feasible or possible?

[mrMarcus]

You're looking for an alternate to using cookies?

[Cupidvogel]

Umm, I don't know whether I am looking for an alternative, I just felt that this is really neat, so I wanna know whether this is feasible or not...

[PFMaBiSmAd]

after grabbing the user id

 

From where would you be getting the user id? It would need to come from the browser with the http request in order to distinguish which of the multiple possible users just made a request from the same ip address.

 

The only information you get with each http request is the ip address, the URL (paths and get data), any headers (which includes cookies, session id cookie, and browser user agent), and any post data.

[Cupidvogel]

No no, when the user logs in, say with a user-name of foo, the server will naturally assume that each subsequent page request from that browser in that IP is coming from that user (it will store the user-id, IP address, browser info in a table). Surely if you log in to Facebook, then go to bathroom without logging out, and in the meantime your brother clicks a link to one of your female friend's page, the server will think that it is you, and send a personalized page accordingly?

[mrMarcus]

No no, when the user logs in, say with a user-name of foo, the server will naturally assume that each subsequent page request from that browser in that IP is coming from that user (it will store the user-id, IP address, browser info in a table). Surely if you log in to Facebook, then go to bathroom without logging out, and in the meantime your brother clicks a link to one of your female friend's page, the server will think that it is you, and send a personalized page accordingly?

 

No security in that plan whatsoever.  What about shared computers?  IP address changes?  Multiple browsers?  The user will never be able to retain any information/data with a site using that method as there is no indefinite way of relating any data to any specific user as there are too many variables.

 

Is good that you're trying to think outside the box, but in this case, it's best to just stick with the norm unless an application truly needs something different.

[PFMaBiSmAd]

What you are suggesting won't work when there are two or more computers with the same browser in the same network/same ip address. This situation would commonly occur in households, companies, universities, businesses providing wifi hot spots, ...

[Cupidvogel]

Yeah, I shall stick to the norm, I just want to know what are the holes in this process. Firstly you said shared computer. Obviously if two users are using the same computer, then the server will have no way of knowing which user is requesting the page, so it will send the page in conformance with the currently logged in user (in fact, even cookies can't help in this case, can they?) I don't know about the IP address change problem. Please explain, I have almost zero knowledge about networking. And multiple browsers are quite possible, that is why I am storing the browser info of the logged in user as well, so that a page request from a different browser provides a normal page.

[Cupidvogel]

What you are suggesting won't work when there are two or more computers with the same browser in the same network/same ip address. This situation would commonly occur in households, companies, universities, businesses providing wifi hot spots, ...

 

Ummm, can't I extract the MAC address out of the IP address for individual page request? I mean, even if the IP addresses are same, there has to be some way of differentiating two computers!

[PFMaBiSmAd]

There's no way to identify a computer over the Internet unless you get that computer to store and send a cookie value with the http requests.

 

The MAC address is not sent with http requests.

[Cupidvogel]

Oh, so that's why cookies stand out you say, because it can uniquely identify a computer even if others are using the same IP as well, and thus avoiding all gotchas others have mentioned here? My method will fail on a WiFi network if multiple users are using the same browser, because each will have same IP address?

[mrMarcus]

The method that you're referring to here would only provide temporary personalization, at best.  Let's not get confused into thinking that a method such as this would provide any sort of legitimate method of storing any specific user-based information for the long-term, such as a site like PHPFreaks.com.

 

With that clear, if you're looking to validate a user against an IP address (as well as browser, etc.), and that IP address changes on their PC at home (as they often do), then their data would be no longer available to them.

 

in fact, even cookies can't help in this case, can they?

 

Cookies are not used for validation against a database, or at least they shouldn't be.  Cookies might be used for simple personal preferences such as "don't show me that popup again" or by changing the background colour of a site (amonsgt a bunch of other simple tweaks [saving ones username for easier login]).

 

Obviously if two users are using the same computer, then the server will have no way of knowing which user is requesting the page, so it will send the page in conformance with the currently logged in user

 

You just answered your own question right there ^

[PFMaBiSmAd]

each will have same IP address?

 

Yes. All the computers within the same local network will share the single public ip address of the router.

[Cupidvogel]

Well, if the client's IP address can change, how ill PHP session help in this case? And I don't know about cookies, but are the information stored by them sent automatically to the server when the user requests a page from that domain, either by clicking a link or typing the address into the address bar?

[mrMarcus]

preserve state and provide personalization

 

Going back to your initial goal.  Are you looking to achieve long-term personalization and storage of data related to any one specific user?

[Cupidvogel]

Yeah. Like in Facebook, where once you log in, you remain logged in for good...

[mrMarcus]

So this is just a matter of preserving the login status and not about saving personal data to the site, correct?  E.g., storing my name, address, phone number.

[Cupidvogel]

I didn't get what you said. Whatever data I saved was saved while I was active, so how can that be undone when I close the browser?

[mrMarcus]

Not that it's "undone", just that there is no sure way of that same user ever retrieving his/her data ever again with all the said variables.

 

They could spend 6 hours saving all kinds of data one day, wake up the next morning and their IP address has changed.  Now, you're system would be verifying a user based on their IP address, and all of a sudden, Tommy down the street now has access to your data because his IP is associated with the user data you saved the day prior.

[Cupidvogel]

Oh no, of course I would never allow that!