PHPiSean Posted August 8, 2011 Share Posted August 8, 2011 Hello, I have a couple silly questions to ask, but its better ask them then not ask them 1. Are cookies treated like arrays? For example, if someone comes back to my site, I want the cookie to start a session. I just am unsure on how to go about doing a mysql query to get a username from a cookie and start a session. 2. That said, if I store a username in a cookie, can users go about and edit that cookie to a different username? or is there an encryption of some sort. 3. I know a cookie is used for a longterm login, and a session is used for a one time login. That said, do I still have to use sessions when I use cookies? Here's how I LOOKED at it: Cookies and Sessions are 2 separate things. Here's how I NOW look at it You can have sessions... or you can have cookies AND sessions. Is this correct? Thanks! Quote Link to comment Share on other sites More sharing options...
phpSensei Posted August 8, 2011 Share Posted August 8, 2011 Hi there, Brief description of cookies and sessions Cookies are stored in the clients machine, whereas Sessions are saved on the server. Sessions do however still use cookies to hold a unique ID of the session stored for each user. Sessions are mostly a combination of server side cookies and client side cookies. So the cookie is already automatically created for you. You can even turn of the SID being made through the cookies and have it pass through the HTTP URL (this method has some draw backs) so actually you can set the Session's lifespan on the server itself just use configure the session.gc_maxlifetime in the init settings. By default I believe its 25 minutes before a session is destroyed by the server itself. A session should have its cookie assigned to it. Answering your questions 1. When creation a session you are basically creating a cookie automatically along with it, this cookie holds the session's unique ID. When you register a session upon user's login, then you need to insert his username or user id. I don't know what you mean by treated like an "array"... The session will last as long as the user doesn't close the browser. It doesn't matter if they go to another site, but the session will die after 25 mins by default, you can change this in the ini settings ### Register the session $_SESSION['user'] = 'ther user\'s id'; ### USing the Session $user_id = $_SESSION['user']; $query = mysql_query("SELECT * FROM `users` WHERE `user_id` = '$user_id'"); $row = mysql_fetch_array($query); ### Printing the Data print $row['username']; print $row['user_id']; print $row['password']; 2. Instead of me writing a paragraph, goto this link http://thinkvitamin.com/code/how-to-create-totally-secure-cookies/ - Very good read in my opinion, and it goes for sessions too. 3. Session can ALSO be used for long term login, depends on how you handle them.. Sessions ARE a combination of cookies and session. Quote Link to comment Share on other sites More sharing options...
PHPiSean Posted August 8, 2011 Author Share Posted August 8, 2011 Alright, so I read the guide, and it was very straightforward (thanks.) [*]Say once a user logins, I set a cookie on their computer. Once they come back, the session_start() function will only be what's needed to get them going through the site? [*]So a cookie is a sessionID stored on their computer? or is it vise-versa? [*]All they can see is the sessionID? not the username of the person who has the cookie on their computer? Thanks again! Quote Link to comment Share on other sites More sharing options...
phpSensei Posted August 8, 2011 Share Posted August 8, 2011 Np, 1. You can set a cookie or a session, but sessions are safer than cookies for storing valuable information. The sessions stored on the server, so when you call session_start() you can grab that data, regardless if they leave the site or not. 2. a SESSION is a combination of cookies and a session, a Cookie itself is a key/value pair stored on the client's computer, not the server itself. 3. They can't see the sessionID unless you disabled session cookies, but thats frowned upon. The sessionID is inside the cookie which stores it, the session holds data (I.e. user ID). No the user can never see another user's cookies, only their own. Quote Link to comment Share on other sites More sharing options...
PHPiSean Posted August 8, 2011 Author Share Posted August 8, 2011 Thanks! Would you say it's safe to store a user's username in a cookie? Or can they edit that, say to an admin's username? I'm just curious to know, since other sites tend use cookies for a long term login. Quote Link to comment Share on other sites More sharing options...
phpSensei Posted August 8, 2011 Share Posted August 8, 2011 The real issue isn't what you store in them, other than passwords and such which shouldn't be stored inside anything, its how secure your cookies and sessions are, some people hijack sessions/cookies in order to access parts of your site.. read here: http://phpsec.org/projects/guide/4.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.