user registration: sessions vs cookies

Vigilante

Recently while I was writing a forum I had to implement a user registration system. When a user logs in their password is checked and if it matches the hash in the db they are given a cookie which specifies their userID and password. "Logged in" is a state in which the user has this cookie, which is used to query users for their userID and check the password and set logged in variables if it matches. The point is that I did all this without ever having any real idea what sessions are good for. Which brings me to my question: Are there any advantages to using sessions for this kind of authentication? Since performance doesn't appear to be significantly affected I would guess the only possible advantage to sessions is security but I'm not sure how they are any more secure since they use a session cookie of some sort anyways, don't they?

________

Hi there,
the bigges problem with cookies is that not all users got it enabeld - and they will not be able to use a login system based on cookies. I'm not sure how many people that don't have cookies enabled, but lest say that 5% don't. And if your page got 1000 hits every day - that means that 50 people can not use the site. Thats a lot of people: 50 * 356!!!!

So for a login script it would maybe be smart to use sessions. But it's just not all advantages with session! Read the chapter on security in the PHP manual.