Need help with sessions.

Anon

Hi, I have some questions about sessions.

I read some articles about sessions and I have few questions that i don't understand.

Are sessions the same as cookies? To me they seem like they are the same.

I building a store and I know that I can't use cookies because the
visitors cookie might be turned off, than I can't store anything that he buyes
on my website.

What about sessions, how are they implemented how do they work?
Do they use cookies in any way.

Will they work even if the visitor does not accept cookies?

Thank You

Roman987@aol.com

Anon

Hi roman,

Sessions are NOT the same as cookies. A session is a way to collect information
relating to an ongoing HTTP browser
connection.

For example - In a typical form application,
the user usually begins filling information
in the first page and this information
is used later to guide the web application
(e.g., user name and password).

Now as you may already know, web servers
are (by nature) stateless. So you cannot
collect this information inside the web server address.

During time, various techniques have evolved
that allow this information to be collected
despite the fact that web servers are
stateless:

Using hidden text fields inside web forms
allows you to pass this information in
subsequent web pages without the user
being able to look at them directly.
Using cookies. Cookies are small chunks
of information that are first sent by
the server to the browser and are than
returned to the server each time the
browser requests a new page.

This method has many disadvantages:
1. Cookies are limited in size, so you
  can't remeber large objects during
  the session.
2. Some browsers do not support cookies
  or may have the cookies feature turned
  off by the user (e.g., to save on
  network bandwidth).
Allocating a special number (called
'session identifier') to every new
HTTP connection to the web server.
Than using this session identifier
to collect information in the web
server or in a database.

For example: A new user has formed an
HTTP connection to the web server. The
PHP script that runs in the server
allocates a new session identifier for
this new connection. It than uses a UNIX
file that corresponds to this session
identifier to store all the data that
is collected during the session.

This technique has the advantage that
you can store big objects (you are not
constrained by the size of the cookies).

The only problem here is how do you pass
the session identifier to the server in
first place. Two methods prevail:
1. Use a special (single) cookie to store
  the session identifier. This still
  require the browser to support cookies.
2. Pass the session identifier in the URL
  of subsequent pages.
  For example:
  "http://www.bobo.com/query?sid=123335"
  
  PHP has support for this method also
  and the advantage here is that you
  need not use cookies (which is what
  you want).

Another, not very common method is ->

Pass the session identifier in a hidden
text field.

As I've said before, the actual session
data can be stored in UNIX files (default
method in PHP) or even in the database
(I've seen an article here that explains
how it can be done).

Using session identifiers has another
desirable effect: It allows us to use
a cluster of stateless web servers. In
case one of these web servers fails,
another web server can take over and
serve the user because all user specific
data is stored in persistent storage
(files or the database) associated with
the session identifier.

Hope this helped