Session or Cookie ??

Anon

which one is the BEST and Secure way to trak a user ..Session or Cookie ??

I have used cookie on my site but at the time of loign when I set a cookie and try to track it on the NEXT page through

IF ($HTTP_COOKIE_VARS['USER']=='')
{
}
IT IS UNABLE TO FIND THE COOKIE BUT WHEN I do it simple by a variable like

if ($user=='')
{
}
it works fine ..But this is a big problem .. like if a user type that variable on the URL then he will automatically login ..like...

www.mysite.com/my_page.php?user=username

I am stuck with this problem.. What is the solution any idea ??

How can I get the Cookie value on the very next page ?

Regards
Tabish

Anon

hi,
Actually this is a simple question to answer but complex in itself when comes to real time iplememntation.

If at all you want to use cookies put all your secured pages in a particular directory and call them using just their file name for

e.g you have set a cookie on
page1.php3 then you need to access the cookie on the page2.php3.you just give the hypertext reference from page1 as page2.php3 and provided that page1.php3 and page2.php3 comes under a same directory

or if you have a domain name you can set a cookie for the root of the domain name ..so that what ever page you access which exntends the domain name it will work.

e.g.

setCookie("identity","anyvalue",time(),"/",".yourdomain.com",0);

friend the time set is the sxpiry for the cookie the rest i belive u understand

But cookies dont do a good job as well..why ?
because some of the clients do support and some dont do support..If you have properly planned your website then you can use random values and can append to the hyperlinks..I hope you got the spark.

Regards
s.r.k.reddy.

Anon

yeah I feel that the cookie is not secure enough .. but could you please explain me about the randam numbers ??

Please expain a bit.. I will be thankfull..

Regards
Tabish

Anon

hi tabish,
See random number generation is nothing but maintaining a session ..but a little different way

When the user logs in, you verify his details and dynamically generate a ID and store them on the server ...If at all you feel confused you take it for granted that you store them in a DB..along with identities of the user .

After generating the random number you try to send to all the out going links as and additional parameter e.g.
http://something.com?rand=#76mbkj^%*&

or else if you are validating any form then send as a hidden type variable..

When the user signs out then delete the random variable or make it to null.

Remember this is only safe if at all you validate the request in every page..If at all your are not targeting all age groups then ,you better go for Cookies..they are simple and easy, you need not bother about all this set a cookie under root directory then every thing is finished.

OR one more way you can do, you do programing in such a way that you find out which browser cant load cookie in the first visit to your web site and to that clientile you assign the random numbers...

Be careful handling all this ..as either one of them should be there ...but not both..It would be a little lengthy programing but definitely a useful and forever one.I mean the last one.

Good Luck.

s.r.k.reddy

Anon

Thanx a lot Mr. Reddy,

But I have another doubt, what if the user doesn't sign out, I mean if he/she simply closes the browser without signing out then the random number will be stored in database, but this can be solved by assigning some timestamp with that..but don't you think that the site will become slow if i am going to validate the random number on each page??

Actullly what i am developing is a large traffic site and connecting each page with the database can make it slow, what do you think?

Anyway.. again thanx a lot for your kind consideration.

Regards
Tabish