Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    New to the CF scene
    Join Date
    Jun 2005
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Session Using Cookies?

    I have code PHP to use sessions, userid, password, etc from a MySQL database, and it seems to work, but I am wondering if it uses cookies to do this on the client? And where is this stored at the Client? I look at my cookies folder under Documents and Settings, but I don't see a cookie there. So where it is stored if it is using cookies? Also another question, how do I know if it is using cookies or not? I have read that either cookies or url rewriting are the only options, is that true? I don't think I like url rewriting instead of cookies, either, what is everyone's thoughts and experiences with this?

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    That is true, without users cookies being on it will pass via a session hash in the url instead. You can do this two ways, either by adding a sessionid to your links, or by enabling session.use_trans_sid either via php.ini or ini_set() function.
    If you are going to allow such a use though, you need to impliment some security to check the session each time its being accessed, simple things would be great, ipaddress, useragent etc. Check these and compare to whats within a session, and your good to go.

  • #3
    New to the CF scene
    Join Date
    Jun 2005
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    So using the cookie technique is better? Also, still looking for where these are stored, they are not in the place I mentioned in first post. Tony.

  • #4
    New Coder
    Join Date
    Sep 2004
    Posts
    51
    Thanks
    0
    Thanked 0 Times in 0 Posts
    sessions use cookies, but in a different way than just a cookie, the session uses the cookie to serve as a pointer to the session, the acctuall information is still on the server and is in almost all cases much safer way of transfering data from one page to another. if users have it set to not use cookies then your out of luck there and you would need to use a session id in each url.

  • #5
    New to the CF scene
    Join Date
    Jun 2005
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Yes, I understand how the session cookie thing works. But what I don't know is:
    Where are these cookies stored on the client's machine. In my testing it is NOT under "Documents and Settings/me/cookies", where I would expect it to be. Where is it? (trying hard to get that answer but no one reads my questions it appears)
    Secondly, because of the two options of cookies or url, what does everyone do? Tell me, do you use the cookie feature only, or the other? If you use just the normal cookie thing, then what you do about people with cookies turned off (if anything)? Everyone, please let me know what you do!!! (thanks in advance)

    Thanks, Tony

  • #6
    New to the CF scene
    Join Date
    Jun 2005
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Can anyone answer the first question, where?
    Also, please let me know what everyone is doing, choice wise.

  • #7
    New to the CF scene
    Join Date
    Jun 2005
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    help?

  • #8
    New to the CF scene
    Join Date
    Jun 2005
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Anyone's help would be appreciated.

  • #9
    Regular Coder
    Join Date
    May 2005
    Posts
    563
    Thanks
    0
    Thanked 3 Times in 3 Posts
    3 bumps in 5 hours?

  • #10
    Regular Coder
    Join Date
    Feb 2005
    Location
    West Midlands, UK
    Posts
    623
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If you set session.use_cookies to on and session.use_only_cookies to off then PHP will try to decide which method to use. If cookies are available it will use them, if not it will use url sessions so you don't have to worry about choosing one or the other method you can just let PHP choose the appropriate method for you.

    If security is reasonably important then just advise your users that cookies will ensre their security and they should refuse the cookie at their own risk. If security is paramount then enable session.use_only_cookies and inform your users that they must accept the cookie. Using SSL will further help to maintain your security.

    As to which I would choose, it really all depends on the application I'm writing. For instance, a secure area for clients to upload their personal files would need fairly decent security, an e-commerce site would need even greater security, but a site that just uses sessions to determine which style-sheet I present to the user wouldn't need any kind of security.

    As for your first question, I'm not entirely sure where this defaults to, but why does that matter? Also the answer would vary greatly depending on which operating system you're using or how you have it configured. If you don't see a PHPSESSID in the url when you refresh your page but the sessions still work then you know the cookie is working. As wickedjester has already said, nothing important is stored in the session cookie on the client machine so you don't have to worry that the user's details are in there, it's just a pointer telling the server where to look for the relevant information.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •