COOKIES Vs. sessions stored on server.

[vicodin]

Hello all, im in the process of making a site and i plan to have thousands of users at once (dont we all) and the server is a shared server. I dont want any session clashes and i was wondering what would be the best way to prevent this. Should i go cookie or stored session. Also what would be the best way to create a unique session id so i can guarentee against session clashes. Thank you for your time.

[revraz]

The session id that is generated will be unique.

[.josh]

"Session clashes" are not something to be concerned about.  The server automatically does that for you.  The concern about sessions on shared servers is security: that is, poorly setup servers allowing other people on your shared server to gain access to your IDs.

[vicodin]

Now would that be on the hosting side or is there something i could do about that in my php codE?

[PFMaBiSmAd]

On a shared web server, you need to set session.save_path to be to a "private" folder that is within your account's folder structure. Ideally this should be a folder that is outside of your document root (closer to the disk root) so that no one that guesses its' name can browse to the files or if you cannot create your own folders outside of your document root folder and you must place the folder in your document root folder, then you need to put a .htaccess file in it that denies all http/https requests.

[Mchl]

Or you can redefine session handling, so that session data is stored into database.