Jump to content

I Wonder?


ckrudelux
 Share

Recommended Posts

Sessions die when the user closes their browser (i.e. at the end of the session). Cookies last as long as you tell them to (or until the user clears their cookies). Session data is held server-side and can't be freely modified by the end user, while cookie data is held client-side. Sessions are faster as all that needs to be sent is the session ID (SID), while with cookies all the data needs to be resent with every request.

Link to comment
Share on other sites

Sessions die when the user closes their browser (i.e. at the end of the session). Cookies last as long as you tell them to (or until the user clears their cookies). Session data is held server-side and can't be freely modified by the end user, while cookie data is held client-side. Sessions are faster as all that needs to be sent is the session ID (SID), while with cookies all the data needs to be resent with every request.
Thanks then I know what to use :):)
Link to comment
Share on other sites

Well I think you should also know that sessions shouldn't be used with every chance either. While it seems the obvious way to go you should use them only when you need them. This is because it's server side (like Synook said) but if too many users are on and you rely heavily on sessions then your server will be bogged down. But, sessions are secure, so use them for important information that you wouldn't want users to edit. (Like a login). Cookies aren't so bad either, I use em. Don't use them for login though, people can change a cookie to have an admin name, then you'll be screwed! Even though cookies sound like they take much longer it's still only a fraction of a second in most cases (but of course it adds up).But if you are making a login here is the way I do it-Use sessions to login the username only. Also save the username and password on a cookie. This way if the username session doesn't exist on the start of a page, check to see if the username AND password cookie exist. If they exist and match in the mysql database then set a session where the username = the cookie username. If only one cookie exists or they do not match, someone was trying to hack in, so clear cookies and have an error log of some sort that sends information you want like IP and the time of day.This is how I make a "sticky" login. Since sessions die when you turn off your browser, you need a way to "remember me".So the moral to this story is, use both. Each are better for different things. Try to use as little sessions as possible but enough necessary for you site to function the way you want.Some may disagree but this is my opinion.

Edited by MrFish
Link to comment
Share on other sites

It is better to store a hash of the password if you do store it in a cookie, as then the password isn't stored in plain on a potentially insecure system.

Link to comment
Share on other sites

It is better to store a hash of the password if you do store it in a cookie, as then the password isn't stored in plain on a potentially insecure system.
Okay so is it bad too use sessions to send error messages I thought it was a really nice way to do it?
Link to comment
Share on other sites

Sessions die when the user closes their browser (i.e. at the end of the session).
Wha...? I thought that Sessions (since based on Cookies) last until the session expires, which is an adjustable setting.
Link to comment
Share on other sites

The cookie is a temporary cookie, so it will be deleted when you close the browser. The session timeout is only checked by PHP, so when the browser sends the session ID then PHP will look it up to figure out if the session has expired or not, but the cookie will hang out until you close the browser.

Link to comment
Share on other sites

Okay so is it bad too use sessions to send error messages I thought it was a really nice way to do it?
Why do you need to store error messages anyway? After all, you only need to display them immediately after the error-causing event. But error messages aren't sensitive...
Link to comment
Share on other sites

Why do you need to store error messages anyway? After all, you only need to display them immediately after the error-causing event. But error messages aren't sensitive...
I'm just sending text like thisSend user and password to the login script and if they don't match I send you back with an error message at the login box.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...