View Full Version : Session Using Cookies?

06-11-2005, 05:52 PM
I have code PHP to use sessions, userid, password, etc from a MySQL database, and it seems to work, but I am wondering if it uses cookies to do this on the client? And where is this stored at the Client? I look at my cookies folder under Documents and Settings, but I don't see a cookie there. So where it is stored if it is using cookies? Also another question, how do I know if it is using cookies or not? I have read that either cookies or url rewriting are the only options, is that true? I don't think I like url rewriting instead of cookies, either, what is everyone's thoughts and experiences with this?

06-11-2005, 08:13 PM
That is true, without users cookies being on it will pass via a session hash in the url instead. You can do this two ways, either by adding a sessionid to your links, or by enabling session.use_trans_sid either via php.ini or ini_set() function.
If you are going to allow such a use though, you need to impliment some security to check the session each time its being accessed, simple things would be great, ipaddress, useragent etc. Check these and compare to whats within a session, and your good to go.

06-11-2005, 11:07 PM
So using the cookie technique is better? Also, still looking for where these are stored, they are not in the place I mentioned in first post. Tony.

06-11-2005, 11:27 PM
sessions use cookies, but in a different way than just a cookie, the session uses the cookie to serve as a pointer to the session, the acctuall information is still on the server and is in almost all cases much safer way of transfering data from one page to another. if users have it set to not use cookies then your out of luck there and you would need to use a session id in each url.

06-11-2005, 11:44 PM
Yes, I understand how the session cookie thing works. But what I don't know is:
Where are these cookies stored on the client's machine. In my testing it is NOT under "Documents and Settings/me/cookies", where I would expect it to be. Where is it? (trying hard to get that answer but no one reads my questions it appears)
Secondly, because of the two options of cookies or url, what does everyone do? Tell me, do you use the cookie feature only, or the other? If you use just the normal cookie thing, then what you do about people with cookies turned off (if anything)? Everyone, please let me know what you do!!! (thanks in advance)

Thanks, Tony

06-12-2005, 01:57 AM
Can anyone answer the first question, where?
Also, please let me know what everyone is doing, choice wise.

06-12-2005, 05:13 AM

06-12-2005, 06:30 AM
Anyone's help would be appreciated.

SeeIT Solutions
06-12-2005, 09:10 AM
3 bumps in 5 hours?

06-12-2005, 02:35 PM
If you set session.use_cookies to on and session.use_only_cookies to off then PHP will try to decide which method to use. If cookies are available it will use them, if not it will use url sessions so you don't have to worry about choosing one or the other method you can just let PHP choose the appropriate method for you.

If security is reasonably important then just advise your users that cookies will ensre their security and they should refuse the cookie at their own risk. If security is paramount then enable session.use_only_cookies and inform your users that they must accept the cookie. Using SSL will further help to maintain your security.

As to which I would choose, it really all depends on the application I'm writing. For instance, a secure area for clients to upload their personal files would need fairly decent security, an e-commerce site would need even greater security, but a site that just uses sessions to determine which style-sheet I present to the user wouldn't need any kind of security.

As for your first question, I'm not entirely sure where this defaults to, but why does that matter? Also the answer would vary greatly depending on which operating system you're using or how you have it configured. If you don't see a PHPSESSID in the url when you refresh your page but the sessions still work then you know the cookie is working. As wickedjester has already said, nothing important is stored in the session cookie on the client machine so you don't have to worry that the user's details are in there, it's just a pointer telling the server where to look for the relevant information.