Sessions or Cookies?

rapmonkey

For having users log into a site, which is better, Sessions or Cookies? What are the advantages and disadvantages of the two? I'm not sure which to use. How do they do for security?

PyroX

Sessions, because not everyone accepts cookies.

sijis

PyroX, i thought i've read somewhere that if a user doesn't accept cookies the user also isn't accepting a session (maybe that is for ASP instead?).

rapmonkey,

I would say sessions. after a certain period of time, if the user is inactive, the session stops requiring the user to login again. I'd store the username in a cookie for the "Remember me" option when logging in (if you have one).

Cookies can be easily manipulated to be as another user and such and (as far as i know) almost impossible to manipulate a session variable from the client side.

Weedpacket

PHP uses a cookie to store a session ID on the browser if cookies are being accepted by the browser. If they aren't, PHP puts the session ID in the URL instead.

Explicitly setting cookies by hand has the advantage that the data can be preserved from one session to the next. The drawbacks are that (a) cookies must be accepted by the browser for cookies to work at all, and (b) you have to handle storing the data across sessions - either in a database (and trying to figure out when to delete it), or in the cookies themselves; if you store the data in the cookies, then there are the further disadvantages of (c) all that data has to be shipped back to the server with every request by the browser (instead of just a session ID), and (d) ther data is less secure.

mickknutson

Originally posted by Weedpacket
PHP uses a cookie to store a session ID on the browser if cookies are being accepted by the browser. If they aren't, PHP puts the session ID in the URL instead.

Explicitly setting cookies by hand has the advantage that the data can be preserved from one session to the next. The drawbacks are that (a) cookies must be accepted by the browser for cookies to work at all, and (b) you have to handle storing the data across sessions - either in a database (and trying to figure out when to delete it), or in the cookies themselves; if you store the data in the cookies, then there are the further disadvantages of (c) all that data has to be shipped back to the server with every request by the browser (instead of just a session ID), and (d) ther data is less secure.

Can you help me with an issue I have at http://www.phpbuilder.com/board/showthread.php?s=&threadid=10223851&highlight=cookie+IE
I am not able to get a certain cookie functionality to work for me.