Sessions or cookies? and why.

Mark

which is "better"?

stolzyboy

sessions

easier to work with, everything is server side, very hard to spoof a session, etc...

still pretty easy to work with, however can be spoofed, since the cookie is not on the server, etc..

however

both are really great at complementing each other when used in conjunction

Mordecai

Sessions are better because they don't require cookies all the time... Cookies are sometimes shut off, and don't often work through frames.
I still use cookies, though, because I still can't grasp how to use sessions. (It's mind boggling, really...)

stolzyboy

Mordecai

you ever done a login script with sessions, it is really easy, i have a post out
there where i gave someone a simple login script with sessions if you want to
check it out, you can find it here

matt_4013

Well, really it depends what you're doing. Sessions and cookies are different things.

A session works like this. When you initialize your session with session_start(); a unique session id is generated, a corresponding file is placed in the temp directory of your server, and a cookie is sent to the client which holds the session id. THIS is why sessions are more secure. It's a hell of a lot harder for the user to spoof variable values, because the values are residing in the temp file on the server, NOT in the cookie on the client.

However, a session will only last until the user closes the browser. This is the downside of sessions. A user can't login, using just a session, close the browser, reopen it, come back and still be logged in. Normal cookies have a lifetime, so you can keep variable data over a longer amount of time, however this data is stored on the client and as such is easy to manipulate 🙂

Hope that helps,
Matt

P.S.

Mordecai, sessions are amazingly easy.
page 1:

session_start();
$_SESSION['foo'] = "bar";

page 2:

session_start();
echo $_SESSION['foo']; // This outputs "bar". That easy.

Weedpacket

...which isn't to say that you can't store "trans-session" data somewhere on the server along with an ID, and set a persistent cookie on the client containing that ID (which is otherwise totally meaningless) - this was the intended use for cookies in the first place.

matt_4013

Yes, this is correct (duh!), but that's more creating your own sessions manually. I used this method a few times, stored the data in a database with a unique "SessionID", and set a cookie on the client which contained this ID. The main problem with that is figuring out how and when to destroy redundant sessions 😉

Mark

question.. arent sessions slower? well, when you get lots of traffic, would it not create a huge load on the server?

matt_4013

Well, I'm not entirely sure. On one hand there is more server processing, but then on the other hand this is offset by less http requests for the data from the cookie :rolleyes:

Weedpacket

Originally posted by matt_4013
Yes, this is correct (duh!), but that's more creating your own sessions manually. I used this method a few times, stored the data in a database with a unique "SessionID", and set a cookie on the client which contained this ID. The main problem with that is figuring out how and when to destroy redundant sessions 😉

Well... ish. Certainly you can write your own session handler (pre PHP4 you pretty much had to, or use a third-party product), but setting cookies manually means you can ask them to be kept after the session ends (and because you know that, you can note it in the database, too!). That's the main difference.

But speaking of database storage of sessions; PHP provides hooks to write one's own session handlers: using a database method instead of the default file-based system can speed things up and reduce load on the filesystem, because (assuming enough memory), the session db would be cached in core. And that's some orders of magnitude faster than the hard disk.

Mordecai

Originally posted by matt_4013
Mordecai, sessions are amazingly easy.

I know.. that's probably why I can't grasp how to use them well. 😉

lobobr

Well, actually I prefer sessions, but I've realized that I'd must use them WITH cookies.

This is a real-life experience. I work for a brazilian dot com that, along with the site, send two daily newsletters for all clients.

Thing is that in these newsletters each link points to the site and carries the user id and encrypted password so they can check the information related.

One of our clients had powerful restrictions on the his company's firewall, so, for still-not-fully-explained reasons they just couldn't login and start their sessions.

The ONLY (believe me we've made dozens of tests, a truly horrifying developer nightmare) way was to store the session data on cookies.

The neat thing about using sessions with cookies is that if the user disables cookies, PHP automatically stores the session data on the old "trans-sid" fashion.

Best regards,

pointsplat

While sessions (referring specfically to manually created session) are preferable because they are server side and you can do more with them, they almost always work as compared to cookies which can be turned off and as stated above they are more "secure" cookies are much easier to use. Making my own sessions I used a table of IPs usernames, etc and the code to check if there was a user there if so update his info, if he was a guest set him as a guest blah blah blah was a buncha lines as compared to the same code in cookies being about 3. Again easier but lotsa downfalls 🙂

All this talk has made me hungry for a $_COOKIE['to eat'];!!