Cookies vs. Sessions

Anon

We all know that many people have figured out how to disable cookies on their web browsers. So using them can be problematic.

But what about sessions? They seem to be the perfect substitute for cookies. However, I did notice in IE 5.5 this curious little set up param "Disable persistent data" or some such thing.

I am wondering if there is a way for a user to have his or her browser to not allow sessions to take place on their local machine. Session variables are still stored locally, like cookies right?

If so, it could be back to square one :-)

Anon

"Disable persistent data" or some such thing

I'm not sure what that is, but there is no way for a browser to disable session info.

Session variables are still stored locally, like cookies right?

They can be, but they don't have to be. PHP will try using cookies, but if it can't, it will use temporary files on the server. That is why there's no way for the browser to disable session info. If it's on the server, IE can't control it.

Diego

Anon

Forgive me for being so stupid here, but I forgot that my Apache server (local to my machine) is not the same as my web host provider's server.

And that makes a world of difference :-)

I finally got Apache to run on my Win Me machine after much tribulation, but run it does now indeed. And I just had a brain fart there as to which "server" I was refering to.

So I guess, viewed in light of your post, that Sessions can replace Cookies without the user having the option to block them? That is what I think could resolve this issue.

Anon

that's not quite accurate. PHP will use temporary files on the server anyway to store session data. What it stores in the browser's cookie is just a session ID that identifies which temporary file contains the session data for that browser's session.

If the browser has cookies disabled, PHP can't do this. Instead, it attaches the session ID to the site-local URLs being echoed to the browser. So someone browsing with cookies turned off will have a ?PHPSESSID=[session identifer] following them around in the site's URLs.

Anon

an argument for cookies:

okay, i spent a lot of time writing <a href="http://homepage.mac.com/ghorwood/php_lib_login/index.html">
login library</a> based on sessions.... and have come to the conclusion that cookies are better:
<ul>
<li>ssl - cookies can be forced over ssl. this is a good thing indeed</li>
<li>persistance - some people like to never have to log in again</li>
<li>reduced database hits - it's much easier to store some user-specific stuff in a cookie than throw it into a database and retreive it. and with cookies you can retrieve this info before the user logs in!
<li>universal access - i write scripts that are called by flash (client side). the cookies are always there<li>
</ul>

okay, there is the issue of the no-cookie browser... but realistically this is rare and the vast majority of web users accept the fact that disabling cookies will reduce the web's usability. modern browsers to a good job of allowing users to filter out certain cookies (doubleclick and friends) so there's less of a need to turn off all cookies to protect privacy.

one vote for cookies.