I intend to write my own shopping cart and i'm having this problem: for tracking my users should i use sessions in urls or just cookies? Using sessions is the safest way (browsers that don't accept cookies will be "forced" by sessions) but .. starting a new sessions for every new user is a disaster for a seo (no spider will index my files with sessions).

My options:
1) user id and shopping cart entirely in cookies;
2) session id in cookies & shopping cart in DB;
3) session id and shopping cart entirely in sessions;

Any option can be made to be safe but:
1) A few visitors (i think < 5%) don't accept cookies;
2) Using a DB can be nice but a lower number of queries is recommended especially for large eshops.
3) session _id in an internal url is hated by spiders. You may win some potential clients with paranoid privacy settings or prehistoric browsers but you surely lose clients coming from search engines.

So, what would you choose?

Any advice or help would be greatly appreciated.

It'll be some more coding but do both. Check to see if they accept cookies and if they do, use your cookies. If they don't, use sessions.

Tha depends on how long you want the people's "things" remembered.

You really have no choice here. If you want the people to come back to your site and have their settings remembered, then cookies are the only way to do it.

Since session variables only work until the browser is closed, once they close the browser, all their settings will be gone.

Well unless you make the users a profile and have the sign on and off. Then you could use sessions and save their data for whenever. But of course, it requires the users to create a profile which would turn some people away.

Ok Bike5,
I am listening. LOL. Now, I am confused. I thought session variables are destroyed once the browser is closed.

Just like you said, I have our customers save our products to their profiles. I don't keep session variables, but cookies since I want them to come back with a welcome message on the web browser.

Now, I know how to do this with cookies, but how can a session var be saved when they return?

The session vars are not saved, but if you store their information in a database and they login to their account, you can pull their information from the database and restart the sessions with information from the database.

I say use a database, sessions for authenticating user, and a cookie to remember the user for an autologin if they chose that. Even though a large DB might take a few more split seconds to load I think it would be worth it.

Your right the session vars are gone when the browser closes, I might not have been very clear.

bike5,
If the browser supports cookies, the browser can support sessions.

PHP just needs the browser to say "this is my session ID". Cookies work fine for that. Once PHP receives the session ID from the cookie, it knows which session data to load (which was saved to the server's disk (or D on the previous page).

It's also possible (though slightly more difficult) to make sessions work even when cookies are disabled, by putting the session ID in the URL or a form variable. As long as you can get the user to give you their session ID on their next visit (and the session file on the server is not so old that it has been auto-deleted) you can resume the session.

My vote would be for sessions. Much easier to work with. Fewer trust issues too; users can modify cookies, but not session variables (client side versus server side).

Session vars are NOT automaticly gone when the browser closes. Usually the session cookie is set to expire when the browser closes - which means, on the next visit, PHP doesn't know that you have an existing session, and creates a new one - but the cookie can be set to live for a specified length of time. Even when the session cookie is destroyed, the session data still exists on the server, until they get cleaned up automaticly by PHP.

Great. I learned something here myself even though I never started the thread.

Thanks!

swr, when you say "until they get cleaned up automaticly by PHP", what does that mean exactly.

Does the session data get cleanded up automatcily every day, time someone else calls the php, other set time, or random time?

So if you save the session id in a database and when a user logs in its calls the same session id, does that mean they can call the session data they had before they closed their broswer (since the data is still on the server)?

Hopefully that makes sense, I am just trying to get a better understanding. Thanks

Originally posted by bike5
Does the session data get cleanded up automatcily every day, time someone else calls the php, other set time, or random time?

session.gc_maxlifetime integer (default 1440 seconds)
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and cleaned up.

Session Handling Functions

Ok, thats what I wanted to know.. Thanks for the info.