Jump to content

Necessity of cookies and session_start()

Cupidvogel

By Cupidvogel
in PHP Coding Help

 Share

Recommended Posts

Cupidvogel Member

Cupidvogel

Posted
Posted

Hi, I was just wondering about the necessity of using cookies and session_start() to preserve state and provide personalization. Why can't it be done this way: The user logs in, the script adds the IP address of the client, together with his account info (say user id), and browser name, to a MySQL table, and configures the table (by setting a MySQL event) to delete that row after, say, 30 days (if not the user logs out in between, in which case the row is explicitly deleted). Now each time a page request comes from that client through that browser(as verified by grabbing the IP address and browser info), a check in the session table is done to see whether that IP address is in that table. If yes, it means that a user is logged in, and after grabbing the user id (necessary, because many users can log in from the same IP, whether from one or more than one browser), an accordingly personalized page is sent to the client. If no, then it sends just a normal page. Is it feasible or possible?

Link to comment
https://forums.phpfreaks.com/topic/262742-necessity-of-cookies-and-session_start/
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted
after grabbing the user id

 

From where would you be getting the user id? It would need to come from the browser with the http request in order to distinguish which of the multiple possible users just made a request from the same ip address.

 

The only information you get with each http request is the ip address, the URL (paths and get data), any headers (which includes cookies, session id cookie, and browser user agent), and any post data.

Cupidvogel Member

Cupidvogel

Posted
  • Author
Posted

No no, when the user logs in, say with a user-name of foo, the server will naturally assume that each subsequent page request from that browser in that IP is coming from that user (it will store the user-id, IP address, browser info in a table). Surely if you log in to Facebook, then go to bathroom without logging out, and in the meantime your brother clicks a link to one of your female friend's page, the server will think that it is you, and send a personalized page accordingly?

mrMarcus Member

mrMarcus

Posted
Posted

No no, when the user logs in, say with a user-name of foo, the server will naturally assume that each subsequent page request from that browser in that IP is coming from that user (it will store the user-id, IP address, browser info in a table). Surely if you log in to Facebook, then go to bathroom without logging out, and in the meantime your brother clicks a link to one of your female friend's page, the server will think that it is you, and send a personalized page accordingly?

 

No security in that plan whatsoever.  What about shared computers?  IP address changes?  Multiple browsers?  The user will never be able to retain any information/data with a site using that method as there is no indefinite way of relating any data to any specific user as there are too many variables.

 

Is good that you're trying to think outside the box, but in this case, it's best to just stick with the norm unless an application truly needs something different.

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

What you are suggesting won't work when there are two or more computers with the same browser in the same network/same ip address. This situation would commonly occur in households, companies, universities, businesses providing wifi hot spots, ...

Cupidvogel Member

Cupidvogel

Posted
  • Author
Posted

Yeah, I shall stick to the norm, I just want to know what are the holes in this process. Firstly you said shared computer. Obviously if two users are using the same computer, then the server will have no way of knowing which user is requesting the page, so it will send the page in conformance with the currently logged in user (in fact, even cookies can't help in this case, can they?) I don't know about the IP address change problem. Please explain, I have almost zero knowledge about networking. And multiple browsers are quite possible, that is why I am storing the browser info of the logged in user as well, so that a page request from a different browser provides a normal page.

Cupidvogel Member

Cupidvogel

Posted
  • Author
Posted

What you are suggesting won't work when there are two or more computers with the same browser in the same network/same ip address. This situation would commonly occur in households, companies, universities, businesses providing wifi hot spots, ...

 

Ummm, can't I extract the MAC address out of the IP address for individual page request? I mean, even if the IP addresses are same, there has to be some way of differentiating two computers!

Cupidvogel Member

Cupidvogel

Posted
  • Author
Posted

Oh, so that's why cookies stand out you say, because it can uniquely identify a computer even if others are using the same IP as well, and thus avoiding all gotchas others have mentioned here? My method will fail on a WiFi network if multiple users are using the same browser, because each will have same IP address?

mrMarcus Member

mrMarcus

Posted
Posted

The method that you're referring to here would only provide temporary personalization, at best.  Let's not get confused into thinking that a method such as this would provide any sort of legitimate method of storing any specific user-based information for the long-term, such as a site like PHPFreaks.com.

 

With that clear, if you're looking to validate a user against an IP address (as well as browser, etc.), and that IP address changes on their PC at home (as they often do), then their data would be no longer available to them.

 

in fact, even cookies can't help in this case, can they?

 

Cookies are not used for validation against a database, or at least they shouldn't be.  Cookies might be used for simple personal preferences such as "don't show me that popup again" or by changing the background colour of a site (amonsgt a bunch of other simple tweaks [saving ones username for easier login]).

 

Obviously if two users are using the same computer, then the server will have no way of knowing which user is requesting the page, so it will send the page in conformance with the currently logged in user

 

You just answered your own question right there ^

Cupidvogel Member

Cupidvogel

Posted
  • Author
Posted

Well, if the client's IP address can change, how ill PHP session help in this case? And I don't know about cookies, but are the information stored by them sent automatically to the server when the user requests a page from that domain, either by clicking a link or typing the address into the address bar?

mrMarcus Member

mrMarcus

Posted
Posted

Not that it's "undone", just that there is no sure way of that same user ever retrieving his/her data ever again with all the said variables.

 

They could spend 6 hours saving all kinds of data one day, wake up the next morning and their IP address has changed.  Now, you're system would be verifying a user based on their IP address, and all of a sudden, Tommy down the street now has access to your data because his IP is associated with the user data you saved the day prior.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.