ckrudelux Posted July 14, 2009 Report Share Posted July 14, 2009 What is the difference?I could use the session as a cookie and cookie as a session but I guess there are some difference in speed and security. Link to comment Share on other sites More sharing options...
Synook Posted July 14, 2009 Report Share Posted July 14, 2009 Sessions die when the user closes their browser (i.e. at the end of the session). Cookies last as long as you tell them to (or until the user clears their cookies). Session data is held server-side and can't be freely modified by the end user, while cookie data is held client-side. Sessions are faster as all that needs to be sent is the session ID (SID), while with cookies all the data needs to be resent with every request. Link to comment Share on other sites More sharing options...
ckrudelux Posted July 14, 2009 Author Report Share Posted July 14, 2009 Sessions die when the user closes their browser (i.e. at the end of the session). Cookies last as long as you tell them to (or until the user clears their cookies). Session data is held server-side and can't be freely modified by the end user, while cookie data is held client-side. Sessions are faster as all that needs to be sent is the session ID (SID), while with cookies all the data needs to be resent with every request.Thanks then I know what to use :) Link to comment Share on other sites More sharing options...
MrFish Posted July 15, 2009 Report Share Posted July 15, 2009 (edited) Well I think you should also know that sessions shouldn't be used with every chance either. While it seems the obvious way to go you should use them only when you need them. This is because it's server side (like Synook said) but if too many users are on and you rely heavily on sessions then your server will be bogged down. But, sessions are secure, so use them for important information that you wouldn't want users to edit. (Like a login). Cookies aren't so bad either, I use em. Don't use them for login though, people can change a cookie to have an admin name, then you'll be screwed! Even though cookies sound like they take much longer it's still only a fraction of a second in most cases (but of course it adds up).But if you are making a login here is the way I do it-Use sessions to login the username only. Also save the username and password on a cookie. This way if the username session doesn't exist on the start of a page, check to see if the username AND password cookie exist. If they exist and match in the mysql database then set a session where the username = the cookie username. If only one cookie exists or they do not match, someone was trying to hack in, so clear cookies and have an error log of some sort that sends information you want like IP and the time of day.This is how I make a "sticky" login. Since sessions die when you turn off your browser, you need a way to "remember me".So the moral to this story is, use both. Each are better for different things. Try to use as little sessions as possible but enough necessary for you site to function the way you want.Some may disagree but this is my opinion. Edited July 15, 2009 by MrFish Link to comment Share on other sites More sharing options...
Synook Posted July 16, 2009 Report Share Posted July 16, 2009 It is better to store a hash of the password if you do store it in a cookie, as then the password isn't stored in plain on a potentially insecure system. Link to comment Share on other sites More sharing options...
ckrudelux Posted July 16, 2009 Author Report Share Posted July 16, 2009 It is better to store a hash of the password if you do store it in a cookie, as then the password isn't stored in plain on a potentially insecure system.Okay so is it bad too use sessions to send error messages I thought it was a really nice way to do it? Link to comment Share on other sites More sharing options...
boen_robot Posted July 16, 2009 Report Share Posted July 16, 2009 Sessions die when the user closes their browser (i.e. at the end of the session).Wha...? I thought that Sessions (since based on Cookies) last until the session expires, which is an adjustable setting. Link to comment Share on other sites More sharing options...
justsomeguy Posted July 16, 2009 Report Share Posted July 16, 2009 The cookie is a temporary cookie, so it will be deleted when you close the browser. The session timeout is only checked by PHP, so when the browser sends the session ID then PHP will look it up to figure out if the session has expired or not, but the cookie will hang out until you close the browser. Link to comment Share on other sites More sharing options...
Synook Posted July 17, 2009 Report Share Posted July 17, 2009 Okay so is it bad too use sessions to send error messages I thought it was a really nice way to do it?Why do you need to store error messages anyway? After all, you only need to display them immediately after the error-causing event. But error messages aren't sensitive... Link to comment Share on other sites More sharing options...
ckrudelux Posted July 17, 2009 Author Report Share Posted July 17, 2009 Why do you need to store error messages anyway? After all, you only need to display them immediately after the error-causing event. But error messages aren't sensitive...I'm just sending text like thisSend user and password to the login script and if they don't match I send you back with an error message at the login box. Link to comment Share on other sites More sharing options...
Synook Posted July 17, 2009 Report Share Posted July 17, 2009 You can just use GET for that - sessions would be slower. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now