alejandro52 Posted October 4, 2010 Share Posted October 4, 2010 What is the best practice to use cookies and sessions? Should i create a cookie and keep inside the cookie the name of the username the user has logged in or a session? How am i supposed to compine theese two? Is there any example or a tutorial on this? For example how does php freaks sessions and cookies work. Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/ Share on other sites More sharing options...
n1concepts Posted October 4, 2010 Share Posted October 4, 2010 I use cookies to set variable (i.e. affiliate tracking ID's) and sessions to move that affiliate ID (which is sent to the site via GET function <URL>). So in short, the cookie is used when you want to try and hold information for a user who may return to the site. A session is used to handle that current visitor's interaction with the site (passing the captured info from page to page). Here are good links to understand both: http://www.w3schools.com/PHP/php_cookies.asp http://www.w3schools.com/PHP/php_sessions.asp Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1118944 Share on other sites More sharing options...
Adam Posted October 4, 2010 Share Posted October 4, 2010 First of all cookies should never be used to store important/private data, nor be trusted. A user can easily modify a cookie to anything they want. If you store usernames in them, all the user would have to do is modify their cookie and they can be any user they wish. Really the only time you should use cookies is to store non-private/insecure data, like for example page references, 'remember' tokens that are validated server-side, session IDs, etc. PHP sessions on the other hand are stored on the server and cannot be manipulated by the user. A session ID is automatically generated and stored within the user's cookies to link the user to the session. This isn't "trusted" however - additional checks are done to verify the user hasn't just stolen somebody else's session ID. You can store private data (to a degree) in these relatively securely. Of course if there's a major security hole in your system then the data may be compromised. Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1118945 Share on other sites More sharing options...
alejandro52 Posted October 4, 2010 Author Share Posted October 4, 2010 So for example, if i have a web site where user can log in and post stuff like php freaks, if a use session, when the browser closes the session is destroyed. If i use cookie it will remember the user. But wouldn't it be a safety risk? Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1118948 Share on other sites More sharing options...
alejandro52 Posted October 4, 2010 Author Share Posted October 4, 2010 First of all cookies should never be used to store important/private data, nor be trusted. A user can easily modify a cookie to anything they want. If you store usernames in them, all the user would have to do is modify their cookie and they can be any user they wish. Really the only time you should use cookies is to store non-private/insecure data, like for example page references, 'remember' tokens that are validated server-side, session IDs, etc. PHP sessions on the other hand are stored on the server and cannot be manipulated by the user. A session ID is automatically generated and stored within the user's cookies to link the user to the session. This isn't "trusted" however - additional checks are done to verify the user hasn't just stolen somebody else's session ID. You can store private data (to a degree) in these relatively securely. Of course if there's a major security hole in your system then the data may be compromised. Thanks for the reply, you got me kind of covered. But if i use session, when the browses closes so does the session. How am i supposed to restore the session when the user reopens the browser. If i store the session id inside a cookie whould that be ok(is it true that firefox does that automaticaly unlike iexplorer)? And how am i supposed to prevent another user from stealing the session id. Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1118950 Share on other sites More sharing options...
Adam Posted October 4, 2010 Share Posted October 4, 2010 Not if you implement a few checks to ensure you have the correct user.. like validating the token as well as the user's IP for example. Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1118952 Share on other sites More sharing options...
alejandro52 Posted October 4, 2010 Author Share Posted October 4, 2010 right, the user ip, forgot about that. Whats a token? Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1118955 Share on other sites More sharing options...
Adam Posted October 4, 2010 Share Posted October 4, 2010 Sorry I was just referring to the 'remember me' cookie; naming it a token... As in it grants you token access. It's a fairly common name for things like that. Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1118958 Share on other sites More sharing options...
n1concepts Posted October 4, 2010 Share Posted October 4, 2010 The key is not storing priv-type info as cookie (i.e. username, password, etc...) I suggest setting a numerical id or some sorts as the cookie and using that cookie to retrieved stored session info. Note: as long as the user doesn't clear the cookie, then you can re-establish their previous connection to which the cookie will send that id value back to authenticate that user. Again, don't use cookie to handle login processes, etc... but as a basis to alert the script of previous user's interaction with the site. You can hold the more sensitive data in sessions to which can be re-established if custom coded to hold the info for longer durations. There are custom configurations you can make to allow sessions to hold longer but could create overhead on the server (long term). Just go to www.php.net Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1118960 Share on other sites More sharing options...
Adam Posted October 4, 2010 Share Posted October 4, 2010 If i store the session id inside a cookie whould that be ok(is it true that firefox does that automaticaly unlike iexplorer)? I'm not sure what you mean by Firefox doing it automatically. The PHP configuration primarily controls how the session ID is stored. It's using a cookie by default, but you can change the setting to have the session id automatically appended to every link instead. And how am i supposed to prevent another user from stealing the session id. If you use standard PHP sessions, you don't need to worry about session hi-jacking. PHP prevents that. If you create your own custom sessions, then as mentioned before, not just relying on the cookie to be correct and validating the user is who they say they are. Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1118964 Share on other sites More sharing options...
alejandro52 Posted October 4, 2010 Author Share Posted October 4, 2010 So step by step what i'm going to do: user types in username and password. with the php post method i check if they are correct. If they are i set the user id and username in the session. I also set the users ip inside a cookie. Now when the user closes the browser the session is destroyed. When the user reopens the browser and comes back to the web page i check to see if the user ip is the same as the user that came back. If it is i set once again in the session the usename and user_id. Is that correct? BTW how come php remebers my username even if my ip has changed? Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1118990 Share on other sites More sharing options...
Adam Posted October 4, 2010 Share Posted October 4, 2010 No, not quite. Are you implementing your own custom sessions here? If not and you're just using standard PHP sessions you don't need to worry about any of this. Just call session_start and PHP will handle the rest - remember to call session_start() on any page you need sessions though. Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1119002 Share on other sites More sharing options...
alejandro52 Posted October 4, 2010 Author Share Posted October 4, 2010 No, not quite. Are you implementing your own custom sessions here? If not and you're just using standard PHP sessions you don't need to worry about any of this. Just call session_start and PHP will handle the rest - remember to call session_start() on any page you need sessions though. Yes, i know how to use session start and i know how to use just sessions without cookies. My main problem is how am i goiing to restore the session when the user comes back to my web page. Should i store the session name in a cookie and also in a table in my database and check if they match? or should i check if the users ip is the same with that on the cookie?What is the best practice when you want to restore a session after the browser is closed and reopoened? Quote Link to comment https://forums.phpfreaks.com/topic/215137-cookies-and-session-question/#findComment-1119009 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.