Which session system ?

cl_stef

Could anyone tell me which is the best working session handling system to use with a Php website? I think it must be more secure to store data on the server itself but if I use local cookies I wonder if they can be easily modified and if so, what I can do against that.

Thanks for your answers...

Weedpacket

PHP's default session-handling system (or any of the session-handling systems it supports) stores all session data on the server.

fandelem

http://us2.php.net/manual/en/ref.session.php is by far the most situated/well-accepted option.

i would personally plan for people who accept no cookies, which means "url wrapping" -- google for more info.. ALL sites should support url wrapping, imo, but some coders are lazy.

if it's a relatively large website, i'd recommend a peak at phpnuke's source on how they deal with session management, database layers, etc.. you can really learn a lot.. not saying they have done it the best way, but it's a great starting point for someone who doesn't really know where to begin...

cheers,

cl_stef

thx, I'll take a look... There is something interesting with phpbb and phpnuke: they can run with a lot of different webhosting services (which mean a lot of different php.ini too I think) without problem.

Sharif

I don't think any of those use different php.ini files (I don't think using more than one is possible either), there are functions in PHP that let you change the configuration in the php.ini file so you can adjust things for a certain script.

phplearner

I was going absolutely NUTSO trying to get some 'session' based stuff working here on my ISP's AIX Unix. Lots of people helped from several forums.

As it turned out, the major problem here was that my ISP did NOT compile PHP with sesssion.use_trans_id turned ON.

The workaround (for my local user use) was they put an .htaccess file in place with the following line in it:

php_flag session.use_trans_sid 1

Now, my ISP runs with PHP 'register_globals OFF', but once this change was made, everything works flawlessly based upon using the following on EACH page:

...at the top...
ob_start(); 
session_start();
$sessid = session_id();
...and at the bottom...
ob_end_flush();

And if you are going to do header redirects to another page after a self/post submit, use this:

if (isset($_POST['submit'])) { 
	$_SESSION['blah1'] = $_POST['blah1'];
	$url = "blah2.php" . "?" . session_name() . "=$sessid"; 
	header("Location: $url");
}

'blah1' is, of course, a Pseudo fieldname & 'blah2' a filename

It took about 40 hours of frustrating experimentation to get this all working, so hopefully this will help!!!:p