473,378 Members | 1,415 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > session questions

Join Bytes to post your question to a community of 473,378 software developers and data experts.

Session questions

Jon
All,

I have a question regarding the usage of sessions and cookies. I'm still a
fairly new developer, but have built quite a few login-driven applications
using MySQL for the backend and PHP for the front end.

When I have a login, I generally do the standard algorithm - Check the DB
for a matching UN/PW, set a session variable as true (or jsut set the
username as a session var) and then check on if the session['username'] var
is set. If it's set, they're logged in, if it's not they're not and I
redirect back to login.

My question has come up recently as I've seen many PHP developers using
setcookie() and running their code off of this. I'm using the following
method if there has been a matching un/pw combination found in the DB:

if($totalRows != 0){
$_SESSION['username'] = $row['usernameFromDB'];
}

Then, in my include file to check, I'll say something like:

if(!isset($_SESSION['username'])){
header("Location: login.php");
}

What's the difference here between the calling of cookies, or just using the
$_SESSION variable. Is there a flaw in my login systems here that I may want
to rethink? Thanks in advance.
Mar 28 '06 #1
3 1204
As I understand it, having the information in the cookie on the user's
system makes it possible for someone to create a counterfeit cookie and
spoof the system. Using the $_SESSION array keeps it on the server side
and is more secure.

--gary

Mar 28 '06 #2
Jon
Is there any advantage to be gained from using the calls to a cookie then?
I thought that setting a $_SESSION variable also saved a cookie anyways...

"fiziwig" <fi*****@yahoo.com> wrote in message
news:11**********************@t31g2000cwb.googlegr oups.com...
As I understand it, having the information in the cookie on the user's
system makes it possible for someone to create a counterfeit cookie and
spoof the system. Using the $_SESSION array keeps it on the server side
and is more secure.

--gary

Mar 28 '06 #3
Jon wrote:
Is there any advantage to be gained from using the calls to a cookie then?
I thought that setting a $_SESSION variable also saved a cookie anyways...

"fiziwig" <fi*****@yahoo.com> wrote in message
news:11**********************@t31g2000cwb.googlegr oups.com...
As I understand it, having the information in the cookie on the user's
system makes it possible for someone to create a counterfeit cookie and
spoof the system. Using the $_SESSION array keeps it on the server side
and is more secure.

--gary



Yes.

When you use sessions, the data remains on the server. Only the session id is
saved as a cookie. Also, if the user has cookies disabled, the session id can
be passed as a GET parameter.

Also, the session id is a long string of random characters - very hard to guess,
and is only valid during that session. Unlike a user id, which is shorter,
often times visible (i.e. in discussion boards, etc.) or at least easily
guessable, chances are the session id will not be guessed.

OTOH, if you store the userid as a cookie on my machine, I can get in and edit
it - changing the username to 'admin'. And if you use 'admin' as your logon to
your private administrative area, I now have access to all of your admin functions.

And you also need to remember that cookies are sent plain text (unless you're
using https: protocol). So anyone between you and your site can sniff out your
userid. Admittedly chances of this happening to the typical site are small -
but it is possible.

It always pays to keep sensitive stuff on the server!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Mar 28 '06 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
Problems with Session
by: Marc Hoeve | last post by:
Hi everybody I'm setting up 2 websites for a friend of mine, en I'm have problems with one of the sites. The situation: I have 2 different domains (both in the .NL domain). Both domains...
ASP / Active Server Pages
0
Session Variable questions
by: Dr. Lovable | last post by:
Hidee, I'm pretty much a newbie and I'm sure most of these questions have been answered before, but humor me, okay? I keep reading that Session variables are evil things to be avoided. Is it...
ASP / Active Server Pages
8
State Persisted Without Session or Application -- Why ?
by: Anthony P. Mancini | last post by:
I'm working on a proof of concept that will ultimately be deployed on a load balancer. For the sake of a preliminary demonstration I created a C# object and marked it's attributes as Public...
ASP.NET
10
Session State stateserver or Sql Server
by: tshad | last post by:
I have been using the default session state (InProc) and have found that I have been loosing my information after a period of time (normally 20 minutes). Is there anyway to find out how much...
ASP.NET
18
Forms authentication and session expiration
by: Rippo | last post by:
Hi I am using role base forms authentication in asp.net and have come across a problem that I would like advice on. On a successful login a session variable is set to identify a user. This is...
ASP.NET
3
Where does php session cookies stored
by: mosesdinakaran | last post by:
Hi Where does the cookies stored in the client machine that php creates after calling session_start() function. I am using IE... I checked in the following folders but no cookies are stored....
PHP
4
Questions About Session Timeout
by: Joey | last post by:
I have an asp.net 2.0 app written in C# and VS2005. I sometimes have issues where users leave a page onscreen and then come back to it a few hours later and try to continue working. Of course, it...
ASP.NET
8
Session variable, security, SSL, I'm confused
by: YYZ | last post by:
I'm using asp, not asp.net. I've got some open ended questions that I was really hoping someone in here could answer, or direct me to some resources that will help me answer them on my own. ...
ASP / Active Server Pages
15
CAPTCHA (verification code) and session
by: sb5309 | last post by:
When one uses CAPTCHA (form with verification code), a session is required to keep the session data. In examples that I have seen on the net, I did not see a session is closed after use. ...
PHP
1
How to archive session data in MySQL
by: maclemming | last post by:
I am writing a website which is a list of questions to be filled out by the user. Each question is asked one at a time, and based on the answer, the next question is asked. When the user submits...
MySQL Database
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!