Jump to content

ASP sessions+cookies vs PHP session+cookies


cherri8
 Share

Recommended Posts

Hi i hear allot of things on the net that PHP sessions can be unsafe if you are not an experience programmer.I still want to make sites with PHP regardless what I hear.I was wondering if ASP sessions+cookies are safer than PHP sessions+cookies because ASP codes are hidden on the browser? . I think ASP session info is hidden from people using shared hosting but with PHP sessions it is not hidden from people . thanks

  • Like 1
Link to comment
Share on other sites

thanks. if i only use sessions for php and not cookies can i use these codes to check if people are login on a secure page?. i plan to do the regenerate id or whatever it is called for session id but i have not done it as yet. if (isset($_SESSION['fuser']) && isset(shal1($salt.$_SESSION['id']) && isset(sha1($salt.$_POST['fpassword']) ) ) {header('Location:securepage.php');} if (!isset($_SESSION['fuser']) && !isset(shal1($salt.$_SESSION['id']) && !isset(sha1($salt.$_POST['fpassword']) ) ){header('Location:index.php');}----------------------------------i have a database tables question.im going to do a session table with "CREATE TABLE sessions ( id varchar(32) NOT NULL, access int(10) unsigned DEFAULT NULL, data text DEFAULT NULL, PRIMARY KEY (id) )";saw this on a tutorial on the net.the sessions id does not have AUTO_INCREMENT like i see in this site tutorials.Im wondering if i can replace id varchar(32) NOT NULL, with id int UNSIGNED NOT NULL AUTO_INCREMENT, in my members table and all the other tables connected with members like the shop table for example? or i probably should just put everything from the sessions table into the members table?thanks

Link to comment
Share on other sites

session id will be alphanumeric by default so it will need a varchar data type rather than int. you dont need to link up your session table to other table like member table. you will use session as you are used to you will only need to override the php session handling.http://php.net/set_save_session_handler <= check this link

if i only use sessions for php and not cookies can i use these codes to check if people are login on a secure page?
you dont need to save password in sessions. when you make a login check its credential and if login matches give them a access token lile $_SESSION['auth']=true; ..and you will check for this token in secure page.
Link to comment
Share on other sites

thanks you guys!.birbal: i'll use the $ _SESSION['auth']=true; idea like you said and since that session is going to be made for correct ip,password,and username i decided to not put username in sessions and just use isset($_SESSION['auth']) && isset($_SESSION['id']).i heard it isnt the good idea to put username in sessions so that method would be great for me. justsomeguy: i'll use md5 instead.I hope that its ok to use with isset: $pwd=$_POST['fpassword']; = md5($salt.$_POST['fpassword']);$id=$_SESSION['id']; = md5($salt.$_SESSION['id']); isset(md5($salt.$_SESSION['id']))

Link to comment
Share on other sites

you dont need to save password in sessions. when you make a login check its credential and if login matches give them a access token lile $_SESSION['auth']=true; ..and you will check for this token in secure page.
Got a question here. The $_SESSION['auth']=true; is suggested just for pages that have content, only registered users can see right? Because if you are going to retrieve user-specific data (like a username or a profile picture) you need to have user specific information saved in the session like the user id. Is that right?
  • Like 1
Link to comment
Share on other sites

i'll use md5 instead.I hope that its ok to use with isset:
it will be same as sha1. md5() also return string.
It's not correct to use isset with a function like sha1, isset only checks if a variable is set. The return value of a function isn't a variable, it's a value.
as justsomeguyg said already isset() check if a variable has value or not. md5() itself returning a value. so there is no point to use isset() there.
Got a question here. The $_SESSION['auth']=true; is suggested just for pages that have content, only registered users can see right? Because if you are going to retrieve user-specific data (like a username or a profile picture) you need to have user specific information saved in the session like the user id. Is that right?
exactly. you can save user id or other user related information which you will need in other pages. Edited by birbal
Link to comment
Share on other sites

it will be same as sha1. md5() also return string. as justsomeguyg said already isset() check if a variable has value or not. md5() itself returning a value. so there is no point to use isset() there. exactly. you can save user id or other user related information which you will need in other pages.
thanks it is more clear to me now.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...