Are sessions worth.. opinions needed

Ethan22

Hello, I've heard by programmers in the past that sessions aren't preferred because they will time out by default in 20 minutes, when cookies and databases don't do that. So if a person closes their browser and comes back the session info ended when they closed their browser, and things aren't held with sessions.

I've never checked on this well to see if these things are true why I'm asking them right now and here. To find out about these things.

Also that sessions in a way are cookies because they still hold id's if it's a usual session that holds ids like these $_SESSION['variablegettingpassed']

So if a person clears all their cookies in the browser it will clear id sessions like these also. So sessions like these are cleared also when anyone clears all their cookies.

Can some of you please tell me if this is true?

And if there are any good advantages to sessions in situations like these?

Thank you very much for your experienced opinions in sessions, cookies, and databases on this.

bradgrafelman

Ethan22 wrote:
I've heard by programmers in the past that sessions aren't preferred

In the past, saying the Earth was round instead of flat wasn't "preferred" either. That doesn't necessarily mean that you should take others' preferences as facts, however. 😉

Ethan22 wrote:
they will time out by default in 20 minutes

Sessions don't "time out" at all. Sessions are (by default) nothing more than files on a server's hard drive, after all. The only thing that would destroy a session prematurely is if two conditions were met:

The session hasn't been opened (in other words: the related file hasn't been accessed) within the past X seconds, where X is defined by the PHP directive session.gc_maxlifetime.
PHP's garbage collection (GC) routine was executed as the result of a random number generated; see PHP directives session.gc_probability and session.gc_divisor

So no, your statement above is not correct.

Ethan22 wrote:
when cookies and databases don't do that

Cookies expire whenever you tell them to expire (much like sessions). Note that since session ID's are often propagated from one request to another via cookies, you've got two expiration times which are unrelated to each other; session file expiration and cookie expiration.

Not sure why you're even referring to databases at all here, though, since they have no correlation to what you're talking about.

Ethan22 wrote:
So if a person closes their browser and comes back the session info ended when they closed their browser, and things aren't held with sessions.

That's only true if that is how you use sessions. It doesn't have to be that way.

Ethan22 wrote:
Also that sessions in a way are cookies because they still hold id's if it's a usual session that holds ids like these $_SESSION['variablegettingpassed']

Not sure what you're referring to, since you talk about "id's" and yet your example refers to a PHP array. You're comparing apples to oranges. Actually, since those are both foods, I would say it's more like you're comparing apples to cannonballs. A session only has one "id" - the SID or [man]session_id[/man].

In other words, I have no idea what you're trying to say here, but I suspect that it relates to a fundamental misunderstanding of how sessions and/or cookies work.

Ethan22 wrote:
So if a person clears all their cookies in the browser it will clear id sessions like these also. So sessions like these are cleared also when anyone clears all their cookies.

Again, that's only true if that is how you use sessions. No one said you must use cookies to propagate the session ID - feel free to use the URL/query string approach if you think that better suits your needs/target audience/etc.

Ethan22 wrote:
And if there are any good advantages to sessions in situations like these?

What situations? I didn't see any situations at all in your post above.

NogDog

Not much I can add to Brad's responses, other than to point out that PHP sessions are probably used is some implementation or other by virtually every non-trivial PHP site out there. 🙂 The "secret" is to understand how the session ID is exchanged between the client and server (typically via a cookie, but not necessarily) and how the data is stored and accessed (typically via the server's file system, but often using a custom session data handler to use a database, instead). As Brad pointed out, session expiration is essentially whichever occurs first: the session ID cookie expires, or the session data stored on the server is deleted; and both are separately configurable for whatever your specific needs are.

Ethan22

Thank you, there are too many new articles online then that are extremely incorrect. Some of you should write some articles on the way sessions really are to help offset most incorrect online articles. Looks like I should ask then, if something general that happened on a web page before needed to be remembered online for the same visitor that came back to the same general web page again. Which would some of you that use cookies and sessions a lot prefer using making a quick decision on which you wanted to use, and why if you don't mind saying why you'd prefer one also. These, $SESSION['variablegettingpassed'] or these $COOKIE['variablegettingpassed']. Since I really don't know what some prefer to pick like that. I really don't know if one is best to use like that. Some here please don't be perfectionist so don't help, most can generally tell what I mean also by this last important question, and is the reason I asked about this in the beginning. It is what I was really needing to get help with in the beginning which one is preferred by some experts, for something just real simple and general for a web page which one is preferred. Do you find more problems using one over the other for that, so is why you prefer one more than the other. So just one you find yourself preferring for that. I've been using cookies all over a website for things like that, and I don't know if that is the best and easiest way why it is important for me to know this. So I can decide if I should be using sessions for things like that in the future, or if I should keep using cookies. Many people say use sessions now instead for that, so it is too confusing for me which one I should be using for that now, and why I needed to even ask.

NogDog

If it is non-critical information (i.e., it's just a bit of an inconvenience for the user if it is not remembered), then I might use a cookie. If it is information intended to carry over from page to page for a related sequence of actions, such as a form sequence; or something such as keeping a user logged in, then I'd probably use session variables. If it's effectively permanent information connected to that specific user, then I would store it in the databse -- and then you would access it via the user ID which is probably stored in a session variable when the user has logged in successfully (and then possibly store it in a session variable if you expect to need to access it fairly often).

bradgrafelman

Another point to consider is security. Do you care if the values you're getting back were modified (maliciously or not)? Session data can't be modified by the end user, but data from cookies definitely can.

In other words, you wouldn't want to store an "isAdmin" boolean flag in a cookie, since non-admin users could simply modify their cookie to gain admin access.

Ethan22

Thank you both very much those were extremely helpful to me, finally someone, somewhere, explained these things well. That is just the kind of thing I needed to make things more clear. Both of you cleared it up so well now my confusion is gone, and I've been confused about it for years also after much searching. It is really appreciated thank you both very much! Looks to me like both of you need to colaborate on a book 🙂, sessions and cookies. Remember to include your user names in it too, if you have helped many, from your great help to them they probably would spread the word. Now I see also why many have been telling me sessions lately, but no one could ever give good explanation of why. You both really need to write that book together. Or individually, but takes a lot of time you probably don't have. Thank you and best regards to both of you.