Sessions: Cookies or passing ID around?

ristuart

Hi,

Sessions in PHP4 usually use a cookie to store the session ID. This means that if a user has cookies disabled or doesn't accept the cookie, things won't work as each page will create a new session for the user.

To avoid this problem you can pass the session ID around to every page.

My question is, other than putting the session ID in every page being a little awkward / annoying, is there in your opinions any particular disadvantage in this method over the cookie method? Would it be easier to steal the session ID this way, or does it not really make much difference?

I'm not writing anything that needs to be secure at the moment, but I'm just interested for any future projects. Also I do understand that just using sessions alone is not particularly secure anyway!

Thanks,
ristuart

ristuart

Thinking further...

My main concern is people passing links to particular pages of the site around: if the session ID is in the URL which they give to others, will those people pick up their session? Presumably there's a certain time after which an inactive session expires?

If a session has expired and a session ID is passed to a sessions script, will it ignore it and create a new session, or what?

Thanks,
ristuart

trooper

Make sure that you put something that is unique to each user in the session.

In my sessions i use the users ip, date, a secret string, the session id itself. Now when they login this info goes into the db and is stored on the server as a session cookie. Then on every page they goto i simply check that the information that is in the session cookie for that user matches what is in the DB.

Incidentally by putting the ip of the user in the session data you remove the problem of passing the session id from one person to another ....... BUT ..... that problem still exists if "person A" in a company logs in and passes the complete url to "person B" in the same company.

As companies have intranets etc they are nearly always behind a f/w and router - and to the outside world this would show up as two people coming from the same IP address. So the checking of the users IP address in this instance would NOT work. "Person B" would effectively be able to "piggy back" off "person A's" sessionid.

This was a problem we had and so we had to make a tough decision on which approach to take. In the end we decided to use session cookies on the client and have all the users info on the server session cookie.

You're right that people often reject all cookies - but hey if yahoo require that you at least allow session cookies then we ain't that far off what the big boys do.

If you (or anyone else) have any other questions then just yell

Originally posted by ristuart
Thinking further...

My main concern is people passing links to particular pages of the site around: if the session ID is in the URL which they give to others, will those people pick up their session? Presumably there's a certain time after which an inactive session expires?

If a session has expired and a session ID is passed to a sessions script, will it ignore it and create a new session, or what?

Thanks,
ristuart

ristuart

Thanks for your reply, that certainly gives me a bit more to think about.

For the particular project I'm working on, as I said, security isn't really a consideration: the site does not require users to log on. What I plan to be using sessions for is mainly storing which 'version' of a site a user has chosen to view.

The client likes frames and wanted to use them for the site, and so this will be the default, but I will also offer a non framed version, and a text only version for accessibility. Storing the version they are viewing in the session seemed nicer than appending it to all the URLs.

I've also had the idea of the frameset registering a session variable to say that it's been run. Pages that are supposed to be loaded into the frameset will check for that variable, and go to the frameset page if it's not there. This will hopefully avoid people ending up viewing a page without the menu etc, as it's less likely that a page will be loaded on its own later on in the session.

But this means that if cookies are disabled, the site will not remember which version they are viewing and keep defaulting to the frameset - not good.

I think what I'll do in this case is have an index.php which starts a session and stores a variable in it, then redirect to the frameset page. That page will check for the first variable. If it's not there then the cookie wasn't accepted (a new session was started) and we go to a page explaining why the site needs a cookie.

Thanks for your ideas, I'll certainly bear them in mind for future. As the main audience for this site will be home users I might use the IP storage technique as well, just to avoid one user getting another's preferences.

Natty_Dreadlock

Even if u use cookies for the session the version will not be remebered... PHP uses temporary cookies for the session which are deleted when the user closes his browser. But u can manually set a cookie via setcookie in which u might store the page version the user wants to see.

mincklerstraat

ristuart: there are ways of mimicking at least a left-right frame structure with css2 using a tiny java hack that allow browsers from ie5.5 up to actually get the left non-scrolling frame. If this is acceptable to your client, you might try this. Try googling "css" and "frames" for it. The advantage is you wouldn't have to re-do layout in a no-frames structure, more people would see the site as-is.

In browsers less than ie5.5, the left element (like a frame) simply scrolls up the screen, which is also a highly acceptable result.

This could simplify your coding considerably.

trooper

Natty_Dreadlock

U seem to have forgotten that you can specify how long a session cookie last by using the session.set_cookie_params function

ristuart

Originally posted by Natty_Dreadlock
Even if u use cookies for the session the version will not be remebered... PHP uses temporary cookies for the session which are deleted when the user closes his browser. But u can manually set a cookie via setcookie in which u might store the page version the user wants to see.

I know this, I was only talking about remembering within the same session. The site might also provide the option to remember all the time, either by setting a separate cookie manually or by changing the expiry on the session.

Originally posted by mincklerstraat
there are ways of mimicking at least a left-right frame structure with css2 using a tiny java hack that allow browsers from ie5.5 up to actually get the left non-scrolling frame...

In browsers less than ie5.5, the left element (like a frame) simply scrolls up the screen, which is also a highly acceptable result.

This could simplify your coding considerably.

Hmm, yes - I have seen this sort of thing done. I will think about it... it certainly has its advantages and would make the coding simpler. I'll look into it, and talk to the client. Usually I don't like using JavaScript because of the client side dependancy, but I'll look into it.

Thanks for all your thoughts 🙂