SESSION cookies vs. URL

foid025

Hi, I'm wondering what advantages / disadvantages there might be to using SESSION exclusively through the URL as opposed to cookies. I've heard that Session variables are associated with individual browser windows, not just a user. So if one user has four windows open to the same site, he could have four Session going. Is this correct? And will the server be able to juggle those four Sessions equally well with cookies as with the URL?

The reason I ask is that I use Sessions when uploading files on my website to dictate which folder the files are uploaded to. When a user has several instances of the website open and upload different files to different folders, the files occasionally get mixed up and end up in the wrong folders. Could Sessions be the culprit?

Thanks for your help!

suntra

If a user has four Windows, the same session id can be used IF using cookies...
If using ID in the URL, if it a fix value (which is normally the case), that should not be a problem...

Let's say the user registers and is redirected to whatever page... in that page, he could open three pages (hosted on your server of course) in new windows... the phpsessid would be passed to every URL...

Advantage of including the session ID in the URL :
-> For people who have cookies disables...

Disadvantages :
-> If you put a link to an external site, the site may have HTTP_REFERER defined with your server and the user's session id ! So in that case, you have to make a special page that will redirect the user (header('Location: ...'))...
-> For those who care, the URL in the browser location bar won't be quite pretty...

foid025

Hmm so you're saying the Session vars might be the same for all windows if the user is using cookies. That is probably the source of my worries then - if the "folder" variable points to the same folder regardless of which instance of the site the user is looking at, files won't necessarily be uploaded to the right place.

So I guess I need to go with URL then.

Thanks

suntra

Well you can personalize every page...

If you have a form, you add a special field in it saying where you are...

But what are you trying to do exactly ?

MarkR

Putting the session ID in the url is not only ugly and unreliable, but it also causes security issues, as the URL may be visible to pages outside your own, e.g. it gets sent to third parties pages in a referrer header, and logged on your own web logs etc.

Using a cookie is ALWAYS more secure, it makes your site less susceptible to session hijacking / fixation attacks.

That said, you should still regenerate your session ID upon login.

And always enable session.use_only_cookies if security matters at all.

Mark