Cookies, or sessions?

[localhost]

Say you are developing a very important web application that requires multiple users signing up and being at this website ALOT. Which would you recommend for security and no annoyance of being logged out?

What are the pro's and con's to each one?

[Joe Haley]

Both.

Use sessions for active user sessions, and a 'remember me' system for letting users gain a user session without activly logging in.

A 'remember me' cookie is commonly the username and encrypted password, allowing you to check for the cookie when initializing sessions and such.

I personally woulnt store a password in there. i would store a unique id alongside the users information in a DB / Flatfile, and set the cookie to that value. (and modify both values to a new unique id every time a new active session is created)

[digitalgod]

yeah that's exactly what I do

[code]
<?php
if ($remember == "yes") {
      $_SESSION['remember']=$uname;
  setcookie("remember",$uname,time()+31449600,"/",$site_address);
      }
      else {
      $_SESSION['remember']=$uname;
      }
?>
[/code]

[Joe Haley]

[quote author=digitalgod link=topic=101440.msg401533#msg401533 date=1153533975]
yeah that's exactly what I do

[code]
<?php
if ($remember == "yes") {
      $_SESSION['remember']=$uname;
  setcookie("remember",$uname,time()+31449600,"/",$site_address);
      }
      else {
      $_SESSION['remember']=$uname;
      }
?>
[/code]
[/quote]

If $uname only contains their username, thats bad, as anyone can use that information to login to their session.