Sessions and cookies

[Robert Siddall]

I am trying to write a membership script and I was hoping for some adviced for the aspiring PHP freak.

 

When this forum launches it knows automatically who I am and does not ask me to log in. I assume that this is because the page reads the phpfreaks cookie which contains my user information. This seems to be confirmed by the fact that I can see two cookie files with phpfreaks in the title on my machine.

 

The membership tutorials use sessions to record user information so the user does not need to login each time one selects a new page. I understand that this is done because the session file is written on the web server avoiding a security problem. However, I believe the session is destroyed once the user leaves the site and the data is lost. There doesn't seem to be a way to auto login if one wants to use sessions to keep track of the users state, unless one transfers data from a cookie to a session when the site is initially launched.

 

Is this what one MUST do if one wants a site to automatically recognise a user or am I missing something? It would seem that the security hole that sessions were designed to close is opened if one wants a site to remember a user. Or perhaps there is a method using the ip address?

 

Comments and/or advice would be most welcome.