Cookies Over Sessions

[chemdream]

Because I have a multi server setup, I was thinking about using cookies for all session data. Obviously the data will be encrypted. But do you guys have any best practices you would recommend?

 

For example, right now, I look for a cookie call (app_name). if that exists I decrypt the data, unserialize it and see if I can the proper ID (and 1 other validation field). If they do, then I fill the local session with all the data I need and I make sure the cookie has the up-to-date data.

 

Should I not use a cookie with (app-name)?

 

If I just use session_name() and set the session/cookie name? Or will that delete the data in the cookie if it already exists?

 

Any advice would be great!

 

I'm really trying hard not to save session data in the DB to account for the multi-server setup.

 

Thanks!

[ManiacDan]

Do not ever use cookies to store session data. Cookies are passed to the client with every request and are visible by the client (and can be modified). Your encryption is probably not good enough to protect your session.

 

Instead, override the session storage location and store the data in memcache or a database. Articles on overriding the session using session_set_save_handler are everywhere.