  |
| View previous topic :: View next topic |
| Author |
Message |
Avis
Junior Poster
Joined: 07 Oct 2003
Posts: 510
Location: India
|
 Posted: Aug 9th, 2004 05:00 AM Post subject: Sessions or Cookies |
 |
|
Hello!
I am working on a big project which is coded in php. Its very mission critical and involves online money and credit cards transactions stuff.
So currently i am using cookies to authenticate the user and stuff. But i came to know that its not secure as sessions. But then i also came to know that sessions are slow and they suck.
Sessions are hard to code and make the overall browsing exprience slower. Is this all true or cookies are as much secure as sessions ?
Please suggest.
Thanks!
_________________
Code Snippets, Tutorials, Utilities, Controls
Low cost Web Hosting
Hosting starts at as low as $4 per year!
Always follow posting guidelines
Put your VB code in [vb ] your code [ /vb] tags! |
|
| Back to top |
|
CheatKing64
Freshman
Joined: 06 Aug 2004
Posts: 32
Location: The US of A
|
| Posted: Aug 9th, 2004 11:20 AM Post subject: |
|
|
Sessions aren't really all that horrible. In fact, this forum uses sessions! The problem arises because sessions are a little complex. And yes, cookies can be less secure.
Whenever you store a cookie, the cookie is sent with every request to that site. So if you had, say, a cookie with the person's name, address, phone number, credit card number, shopping cart, etc. that could really slow down the connection. With sessions, there is one cookie (or, in some cases, no cookies, which I'll explain later) that holds the session ID. The server handles the storage of the data in the session, which makes life much easier (in my opinion).
However, if you're making something that would have return users, I'd recommend storing their information in a database, not in sessions, so that they can return later.
To use a session, you should first call session_start(). Although not absolutely required (if you use session_register()), it's always good practice to do such things. Then, assuming you do NOT have register_globals enabled (a PHP.ini setting, defaults to off starting in version 4.2), you can use the session variables like this:
| Code: |
$SESSION['username'] = 'CheatKing64';
$SESSION['password'] = 'password';
/* and so forth */
|
If you do have register_globals on (although this method is discouraged, because it makes for not-so-portable code), you can use the session variables like this:
| Code: |
session_register('username');
session_register('password');
$username = 'CheatKing64';
$password = 'password';
|
In both cases, you can register your variables with session_register(), and can use them with $SESSION[], which is why the $SESSION[] autoglobal is recommended.
I hope I didn't go too in-depth (or not in-depth enough). Basically, to answer your question, it is more secure to use sessions, because the server end is typically much more secure than the client. Sessions don't slow everything down, because again the processing is done at the server end (and servers are faster than clients as well). If you need any more help, I'll be happy to help.
PHP Manual references:
PHP Manual :: Sessions
Hope all this helps!
_________________
NCSA Certified in HTML 4.0:
EasyMail POP/SMTP Server:
http://easymail.sourceforge.net |
|
| Back to top |
|
Avis
Junior Poster
Joined: 07 Oct 2003
Posts: 510
Location: India
|
| Posted: Aug 10th, 2004 01:11 AM Post subject: |
|
|
Hi CheatKing64,
Thanks for the valuable information. Now if sessions are so easy to use then what the romour that says: we have to manage the session id as php does not manages it and we have to store it some place and incase we need it then we'll have to get it from there and then use it. You can't just do something like:
| Code: | $getmyid = SESSION['ID'];
// Just a sample not real. |
So we'll have to store it in some database when we register a new session and keep it there until user logs out etc. Like in phpBB session id is attached to all the links you link in here.
This can get real fussy and insecure if we don't know how to manage sessions.
Thanks!
_________________
Code Snippets, Tutorials, Utilities, Controls
Low cost Web Hosting
Hosting starts at as low as $4 per year!
Always follow posting guidelines
Put your VB code in [vb ] your code [ /vb] tags! |
|
| Back to top |
|
CheatKing64
Freshman
Joined: 06 Aug 2004
Posts: 32
Location: The US of A
|
| Posted: Aug 10th, 2004 01:24 PM Post subject: |
|
|
There is a variable, called SID, which is, according to the PHP manual:
| Quote: |
Constant containing either the session name and session ID in the form of "name=ID" or empty string if session ID was set in an appropriate session cookie.
|
In other words, it is supposed to be appended to any links, in the same way that the session ID is appended to links on this board.
There is also a function, session_id(). According to the PHP manual:
| Quote: |
session_id() returns the session id for the current session.
|
You can pass session_id() a parameter containing a valid session ID if you want, but it is not necessary.
I just thought of this right now: if PHP is configured (through PHP.ini) to use cookies to store the session ID, you don't need to do anything. However, if the setting (session.use_cookies) is set to "0", or the client has cookies disabled (though I'm not sure about the later), then YOU must handle the session through the GET parameters (the SID variable). When the session ID is passed through cookies, SID is empty (you can use that to check for cookies, I guess).
All-in-all, you may need to make sure to pass the session ID when needed, but you don't need to store it. The only thing I can think of is if you have a "remember me" option, in which case I'm not sure. I'll look into that and see what I can find.
_________________
NCSA Certified in HTML 4.0:
EasyMail POP/SMTP Server:
http://easymail.sourceforge.net |
|
| Back to top |
|
Avis
Junior Poster
Joined: 07 Oct 2003
Posts: 510
Location: India
|
|
| Back to top |
|
CheatKing64
Freshman
Joined: 06 Aug 2004
Posts: 32
Location: The US of A
|
| Posted: Aug 11th, 2004 12:00 PM Post subject: |
|
|
Ok, then the sessions will be managed by PHP automatically. You'll never have to bother with them, unless your users don't have cookies enabled. But then again, you can say that the page requires cookies, in which case most users will enable cookies.
_________________
NCSA Certified in HTML 4.0:
EasyMail POP/SMTP Server:
http://easymail.sourceforge.net |
|
| Back to top |
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
