Session Handeling

[tal]

hello alli am using session functions - storing session id as a cookieand storing the actual session data as a plain text file in temp foldernow i have two questions about how to handle sessions 1-when looking from the security point of view (thinking about XSS)is it safe to leave the session id plain text in the cookie, for all to see ?2-is it better from speed and efficiency point of view when querying data from mysql, writing it to session filesfor future use (in that session)instead of querying mysql each time i need that datai would appreciate any kind of helpthank youTal

[jeffman]

Sessions are very safe. Only the session id is written to the client's computer. It is the client's responsibility to keep the computer secure. If the user is working in a library or somewhere else that is not secure, the user should take precautions. You can help by providing a logout function that destroys the session data on the server. If you provide a system for logging out, but the user does not log out, that is the user's fault.Writing data to a file and then reading it is NOT efficient. Sending the same query to your database is more efficient, since the information is only read, not written.But if the data is static, you can store it in the $_SESSION array, and it will not have to be read from disk more than once. That is the most efficient of all. If your server is very busy, it may have to write the session data to disk. But it will use an internal system to track it, and that will still be more efficient than writing it and reading it yourself.

[tal]

thanks for the answer now, i have a nonce i need to work with and i have two options handling itsending a cookie to the clients computeror writing the same date to a session filewhat will be more efficient (less resource consuming) ?what would be more secure (considering i am encrypting the data) ? writing to disk or writing to cookie ?thank you for all the great support Tal