I am not pro'. Session and cookies both have their own disadvantages. The best thing in my knowledge would be to use cookies for non secure data and session for secure data.
For all secure data such as login data, i use session or cookies with database. That is, session or cookies to store data and database to validate the data. I also update login information several time to prevent session or cookie hacking.
Hope this helps from a novice. :-)
Merry Christmas.
Matthew1980
7:41 pm on Dec 26, 2010 (gmt 0)
Hi all,
webfoo
Essentially $_SESSION & $_COOKIE's are exactly the same thing, check out your cookie register when your coding, PHPSESSID should be in your list when you have a session registered, this is the way that php creates and monitors sessions, through a cookie!
As for your question, they are both as important as each other, $_COOKIES are important for setting user data for when a user returns, and $_SESSION's are ideal for validation page-to-page basis, $_COOKIE's can be used to restart session data from a DB query from the data that they have stored.
Just be careful that you sanitise & hash ANYTHING that you intend to put into a cookie, then salt for good measure, and use something that you can easily strip from the data so that you can check it against a DB, you can store a lot in a cookie, just make sure that the values match! Can catch the best of us out, also ensure that the DB char/varchar count is MORE than the hash length that's generated, generally 32 chars or more should be fine...
But to be honest, this is where you need to find out what and how you intend to use these effective tools. Plenty of tut's out there, experiment and have fun!
Cheers, and seasons greetings! MRb
webfoo
9:55 pm on Dec 26, 2010 (gmt 0)
Session and cookies both have their own disadvantages.
Can you be more specific? What are the advantages and disadvantages of each?
Matthew1980
2:15 pm on Dec 27, 2010 (gmt 0)
>>Can you be more specific?
couple that spring to mind are $_COOKIE & $_SESSION data can be deleted by the user, and lots of users and browsers have cookies disabled by default - don't take it for granted that they can be used.. Run a check first, and then display messages to inform users that the need to enable them.
Cheers, MRb
Eray
4:15 pm on Dec 28, 2010 (gmt 0)
>> Can you be more specific? What are the advantages and disadvantages of each?
For example, if user close browser's window, all $_SESSION[] variables will deleted for this user. And $_SESSION[] variables doesn't stored at users PC, it's stored at server.
Also cookies doesn't deleted, if user close browser's window. For example, if you want to add a "REMEMBER ME" button, you have to use cookies for this.
Matthew1980
12:35 pm on Dec 29, 2010 (gmt 0)
>>For example, if user close browser's window, all $_SESSION[] variables will deleted for this user. And $_SESSION[] variables doesn't stored at users PC, it's stored at server.
Incorrect.
$_SESSION data is stored client side as I explained in an earlier post. $_SESSION data has a time out of 25~ mins as set in the ini file, this means that sessions can be re instantiated SO LONG as the PHPSESSID hasn't been removed from the cookie list, only if that has been unset/deleted, that session cannot be re instantiated.
Nothing, apart from DB stuff is stored server side, the script is processed server side, and output client side as the 'PHP' acronym tells us
Just for clarity there, though Eray is correct about the 'remember me' option.
Hope that makes sense :)
Cheers, MRb
rocknbil
5:00 pm on Dec 29, 2010 (gmt 0)
Well, what is true about that is that the PHPSESSID cookie is a session cookie, so when the browser is closed the PHPSESSID cookie dies - breaking the connection between user and the session data stored on the server.
A distinction should be made between session cookies and persistent cookies. "Session cookies" have nothing to do with PHP - this refers to the client's (browser's) browsing session. The cookie named "PHPSESSID" is one set by PHP to maintain the connection between client and PHP on your server.
If you just set a cookie without a valid expiration date, it will be a session cookie by default. To set a persistent cookie (as in "remember me," etc.) it requires a valid date format some time in the future. To clear these cookies, you set a cookie of the same name with empty data and an expiration date in the past.
