Sessions, cookies and databases

[nvee]

Hey guys

 

This is not as much a code help as a little info help. I am busy with a project and I have very little session experience. I understand how they work, how to start them and use them, but the nature of my project means I have to make extra sure that it is safe and userfriendly, and I am not too clued up with the way things will have to happen.

 

1) Usings a combination of sessions and cookies - I want a function where my clients can say remember me. I understand that I need to use both cookies and sessions for this. If i understand it correctly, the cookie only really saves the session number, is this correct? If this is the case, wont the session be destroyed after the browser is closed? If I have it completely wrong, does this mean that if I want my clients to remain logged in, I must use cookies?

2) Storing session data in a database - I am busy going through a tutorial on saving session data in a database. I was always under the impression that doing this, it increases the security of my project, but it sounds not that its more to do with running a central project over multiple servers. Am I correct? Is there really any advantage storing session data in a database besides this? Is there any improved security?

3) What is your suggestion on the best practise to do my request?

[nvee]

anyone?

[teamatomic]

1. short answer, yes. But... they dont really remained logged in for days at a time. What happens is you set all their data in a cookie and when a user visits your site you look for a cookie. If you find it you grab the data and automatically log the user in. It is transparent and thus looks like the session was never over but in actuality it expiried. That holds true mostly for all shared hosting. If you run your own server and have lots of space then you can set it so sessions stay active for ever if you wish, again, as long as the associated cookie remains o  the users computer.

 

2. Storing session data in a DB is either/or a replacement for cookies or a backup to a cookie if the user clears their personal data. The advantage is when they log on, either automatically with a cookie or after manual log in the data from the cookie or the DB can be use to set stuff like their default language, last page viewed, last data/time at site, position in a game, etc. without any user intervention.

 

3. Use cookies and DB per #2 explanation.

 

As an experiment look for the phpfreaks cookie on your computer. Open it and examine the contents. Delete it and you will have to login again.

 

 

HTH

Teamatomic

[nvee]

Okay wait ...

 

Do I understand correctly that I must avoid sessions? I was told that cookies are not as secure as sessions, but understand that the session is destroyed when the browser is closed. I think that is what I dont understand.

 

So in a nutshell:

 

1) If i want my users to remain logged in I have to use cookies? I cannot use sessions for this?

2) The most secure way would be to use cookies and a combination of cookies in DB?

[nvee]

Interuppting myself:

 

1) For login, I have to give the user the option if they want to remain logged in. If true, I must use cookies, if they dont, I use sessions?

[ignace]

If you are working on shared hosting you must make sure that your first thing you do is:

 

ini_set('session.save_path', 'path/to/local/directory');

 

Second on the login page:

 

function start_session($lifetime = 0) {
    if (0 !== $lifetime) session_set_cookie_params($lifetime);
    session_start();
}

if (isset($_POST['submit'])) {
    $session_lifetime = 0;
    if (isset($_POST['remember_me'])) {
        $session_lifetime = 3600;
    }
    start_session($session_lifetime);
    
    //logic
}

 

Something different that I found working:

 

setcookie(session_name(), session_id(), $session_lifetime);

 

This last option creates 2 cookies the cookie created by session_start() will be destroyed upon browser-closing while the other remains active and upon next visit you will appear as logged in. View stored cookies to watch how this happens.