Welcome to WebmasterWorld Guest from 220.127.116.11
I am just about to write a shopping cart, and wondered what everyone thought on the pros and cons of cookies versus url for storing session vars.
I'd also be interested to know if anyone has used the url method, with mod_rewrite on Apache, to rewite dynamic to static urls except a session variable.
If'd absolutely have to chose between the two, I'd go for the url method, it's safer (in the way that it's not affected by user's choice) and if I remember correctly, there's an option in PHP to use the var SID transparently so it doesn't appear in the url but it's still passed around (I'll have to check on that one though...)
but otherwise, try to use a combo. Makes your system more stable.
Hope that helps
Thanks very much for that, FYI this is what found in the PHP doc re: a transparent SID:
session.use_trans_sid booleansession.use_trans_sidwhether transparent sid support is enabled or not. Defaults to 0 (disabled).
Note: For PHP 4.1.2 or less, it is enabled by compiling with --enable-trans-sid. From PHP 4.2.0, trans-sid feature is always compiled.
URL based session management has additional security risks compared to cookie based session management. Users may send an URL that contains an active session ID to their friends by email or users may save an URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.