danielspencer2

ok guys i found out i will use php with session cookies, not persistent cookies: http://www.dustinsdesign.com/php-sessions-vs-cookies/ sessions cookies are stored in the browser's memory and not the user's hard drive. one thing though, is the default https SSL cookie a session cookie or persistent cookie?

i'm interested in finding out about passing the session id in the url for every request. i have searched google but i can't find any example login scripts that use this method, do you know any that do? No, because it always uses both (unless the session id is passed for every request in the URL itself). The cookie is a pointer to the session. Without the cookie, the server has no idea there even is a session, let alone whose session file is whose. Use the cookies, safer and less for you to have to control from within your own code. thorpe's simple login script does exactly what you should be doing Sessions will expire after a period of inactivity, defined by the session.gc_maxlifetime value within the php.ini file. I've read that if a person sends their user id and password to another person, then that second person can log in as them. If a user gives away their personal information like that, then there's very little that security checks can do. Hackers can also try to intercept http packets travelling between browser and web server to read cookie data for the session ID. Session timeout with the session.gc_maxlifetime reduces the timeframe where the user has closed their browser, and the cookie value still has any value to a hacker. If you want to make things even more secure, use ssl.

So would u be able to post here a simple php login script that uses sessions instead of cookies? And can you make sessions expire? Because i read that if a person sends their session id url to another person then the other person will be able to login with just the url. Probably both, depending on your PHP configuration. Typically, a cookie is stored in the client browser. That cookie name is (by default PHPSESSID), and its value is the session ID allocated by PHP. If you have a cookie editor for your browser (an extremely useful testing tool), you can actually see this. The browser also holds a record of the domain which issued the cookie, and its lifetime... all pieces of information set by PHP when it sends the response headers instructing the browser to create the cookie. Subsequently, whenever the browser sends a request to the server matching its domain and within the cookie lifetime, the cookie name/value itself is also sent to the server. If the browser sends a request to a server in a non-matching domain, or the cookie lifetime has expired, the cookie name/value is not sent with the request. As an alternative, it is possible to configure PHP so that it doesn't use a cookie, but sends the session id key/value pair as part of the request as a $_GET or $_POST parameter... you might then see the session iD value in the address bar. The value of the session cookie matches a session file held on the server (typically in the /tmp directory, with a prefix of "sess_"), and it is in this file that all the session data is held. That data is not available to the browser, only to the PHP script.

but does the code you provided me with use Cookies or just sessions? If it uses a cookie, what information is found in the cookie and where is the session.cookie_lifetime value?

thanks guys. that really helped. does anyone know of a free website that makes their cookies expire when the browser is closed, so i can test this by signing up and logging in, then reloading my browser and see if i am indeed logged out?

i found session.cookie_lifetime and it says: "session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." How does the server know that the browser is closed? Because when you close your web browser it doesn't sendout any info to the server.

How would i use php and the session cookies feature it provides to make a user automatically logout after 60 Minutes of inactivity? I was thinking when people first login the start time will be stored as 0, and whenever they click somewhere it will be set to zero again, but if they click again and their last click was more than 60 minutes ago, the cookie will be deleted, session unset, logged out, etc. How would i do this in php using the session cookie feature?