This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Cookie VS Session
PHP: How do Cookies and Sessions work?
I'm trying to learn PHP. I have a project website where numbers are constantly being generated, and changed and stored in javascript variables. There is very little php involved except in storing these variables to a database when the user hits the "store to database" button. Today I was using the site, navigated to another website and went back and all my data was gone as i had not stored it to the database first. I would like to save that data so it repopulates if I leave the page. what would be the best method of doing this? php sessions, cookies, or javascript cookies? please advise, thanks in advance!
php sessions, cookies, or javascript cookies?
There is either a session or cookie so there are two things not three.
Now a session is also a cookie but is saved on server unlike simple JS cookie which is saved in user's machine.
I would like to save that data so it repopulates if I leave the page
If it is sensitive information, always use database to store it and if it is not sensitive data:
Use cookies or localStorage but it can be deleted by user
Use session which can't be deleted by a user but will expire based on php.ini settings
On the other hand, to save it permanently, use the database instead.
PHP and Javascript cookies are the same thing, they are just data stored client side, php and javascript are the technology used to store them, nothing more.
Since PHP cookies can only be set before an output is sent to the page, it seems Javascript cookies would be best.
You would use cookies instead of a session because you mention you would leave the page, in which case the session would terminate and you would lose your data.
Use sessions when you want to temporarly store some data (for one session - until user closes his browser).
Use cookies when you want to store data for longer (like login cereditials).
You should also have on your mind that user can change value of stored cookies, but can't for sessions, since sessions are stored on a server, but cookies are stored on client's computer.
I believe cookies is the answer you need, as php session is only stored between page loads, so you are effectively sending the data back to the server already (not what you want) and as far as I know, javascript cookies are just cookies set with javascript.
So to clarify, I think you should set a cookie (by using javascript) every time some data is created - which will store locally on the browser (still fairly volatile) until the user presses the save button, where it will be sent back to the server.
PHP cookies if you want to store long term, but don't care whether the user changes the values or not.
PHP sessions if you don't want the user to have the ability to change values but don't need long term storage (this sounds like what you want)
Both session and cookies if you want to store long term and don't want users to have access to changing the values. You would want to use a database with this so that you could check the cookie information with the database to see if it was correct, and then store the data in sessions for easy access.
This is how many sites 'remember users'.. They store a cookie with the username and password, and then when the user visits the site (if a session is not set) they check the username and password with the database and then if it is correct, they create a session specific to that user.
Related
I need to store data in a session and make it available for other users.
I thought about to store that data in an Session, generate a random Link, which user 1 can send to user 2. The Session should expire after 3 Month.
The session name is the random code I generate which is simluar to the code I send with POST to receive it on the Secretlink with $_GET.
Is this working in general or am I on the wrong track?
Can I store a Session even when the user 1 left the website or will the session be terminated?
I also need to set the session via jQuery, but I couldn't find anything about expiration time of a session.
I already did it with a cookie, but of course that's not working with user 2.
Sessions are actually files, stored on the server. PHP sets a cookie with the session id, named PHPSESSID. You can also use the PHPSESSID GET parameter, but you would have to change that in the server's PHP settings. Using the GET parameter, you could pass that link to another visitor to let him use the session. You would also have to extend the session expiration time.
However, I wouldn't recommend sharing sessions with GET parameters. It could be a security risk when you are storing personal data in those sessions. I recommend that you write a small script that stores data in a database and that can be accessed (for reading and writing) by requesting an url or any url with a special GET or POST parameter.
One last thing, sessions are never accessible from jQuery directly. You would have to write a small script that requests data on your server via AJAX.
I have created a registration/login system for my members area. Once the user has logged in I want to store a session variable that I can use to retrieve data associated to the user from the database.
Should I in encrypt the variable in any way? The data I want as a variable will either be the username or the id, which is best?
Should session ids be regenerated in anyway and when??
Data storage in session is considered to be "safe", so you dont need encrypt-decrypt it.
You should regenerate your session id after a successful login/logout. For security reasons, I would reccomend to ask the user for his password if he want's to perform a critical action (changing important data, deleting account or submit an order for example).
As AurimasL stated, you don't have to worry about session data on the server side. I reccomend this reading, if you are on a shared host, because then there are some security aspects: http://phpsec.org/projects/guide/5.html
Session IDs are stored like a cookie on the client's machine, and are passed back to the server for every single request. This is how PHP determines what information to load into a session once it receives the request.
Since sessions live on the server and not on the client, you only need to worry about session hijacking in regards to whether the information stored in them is secure or not. The answer to your question is no, I would not try to encrypt the information that is stored in session.
Just an add in the comments bellow,
Keep in mind that creating a sessions are expensive for your server app. Sometimes is a good idea stores the id in the session and other informations in cookies (informations that dont need security as the username).
Would it be okay to save the same navigation data in a session (server-side) and in a cookie (client-side) so that a user whose browser allows cookies can have the same advantages that one whose browser is?
The only difference would be that, while the user whose browser allows cookies can log weeks later and have he's navigation information remembered (language, etc.), the other only would be as long as his browser is not closed, right?
The only difference would be that, while the user whose browser allows
cookies can log weeks later and have he's navigation information
remembered (language, etc.), the other only would be as long as his
browser is not closed, right?
It depends on how long you keep session data in database. Session data in database and in cookie works almost equally. Only difference is from where you get your session data - cookie or database. Cookies have expiration time, database records - how often you clear session table.
As a generality (meaning you could fudge it if you wanted), if you use sessions it has to put a cookie on the user's computer so the correct session can be pulled up, so there really wouldn't be an advantage. If they allow cookies, they can have a session.
Hi I would like to know the difference between a php session and a cookie
The main difference being that session data is stored on the server, while cookie data is stored on the client. Therefore, a client can easily modify the cookie contents, but will have to work way harder to modify the session contents.
Cookies are a means to store information in the end-user's browser, so that the server can track the end-user.
Sessions are also implemented by using cookies, but the actual data is not in the browser; rather, it is stored in the user's session record on the server. In the case of sessions, cookies are used to identify a particular end-user's session identifier on the server records. Hence, they are a more secure way of storing user information.
A cookie is a ~piece of data stored on the client side.
Data stored in session is stored on the server side, and the various sessions are identified by cookies.
There are session and Cookies, both are used to store values or data. But there are some key differences between session and cookie: a cookie stores the data in your browser and a session is stored on the server. Cookie data is available in your browser up to expiration date and session data available for the browser run, after closing the browser we will lose the session information.
A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each time the same computer requests a page with a browser, it will send the cookie too.
A session variable is used to store information about, or change settings for a user session. Session variables hold information about one single user, and are available to all pages in one application.
A cookie is an unique information that the user sends to the web server with each request in order to identify him. This unique id could be used to store information about this specific user on the server (session).
Cookies will only expire on expiry time or if you explicitly clean cookie / cache of your browser. Cookies will retain into the system even after you open your browser next day.
Cookies are stored on client's system so they are less secure.
Session will expire on its expiry time or if the browser has been closed. As session is stored on server so it is more secure.
So for a login module, a combination of session and cookie should be used
Cookies stored client side but session stored server side.
cookies is without sign out of the your email account and close it. once again can not enter username and password but your email account is open.
session is close the webpage once again open to starting page appier
best example to illustrate the difference bet. Session and Cookies is:-
when you Login as a member in any Site it Creates Sessions until you log out...
that is Session..
and Cookies when you browse websites the are stored on your computer's Main Memory that is Cookies
i-e Session is Server side
and cookies is Client side
We got three differences in general. The key difference would be cookies are stored in client side and sessions are stored in server side. The second difference would be cookies can only store strings. We can store our objects in sessions. Storing objects in sessions were really useful according to my experience. Another difference was that we could be save cookie for future reference, but session couldn’t. When users close their browser, they also lost the session.
PHP Sessions
PHP has built-in functions to save session variables. The variables are stored in state files. These state files need not be explicitly created and managed. The following are the steps for saving and retrieving values of session variables.
The setcookie() command must be issued before any printed output occurs because the cookie must be written as part of the HTTP header. PHP automatically parses any HTTP_COOKIE string into an associative array $_COOKIE. The value of the cookie can be retrieved from the cookie thus:
$_COOKIE["some_var"]
Cookie: A key/value pair that is stored by the user's browser and is available in the superglobal $_COOKIE array available in PHP. The cookie request is initiated with an explicitly defined expiration date. For example:
setcookie('cookieName', $some_value, time()+3600, "/", ".example.com")
On the next server request, $_COOKIE['cookieName'] will be available. If you use a browser tool to look at the cookie, it will have an expiration date.
Session Cookie: Identical to the above but defined without an expiration date. If you use the same browser tool it will say that the cookie expires at the end of the session; which is ultimately when you close your browser. For example:
setcookie('cookieName', $some_value);
PHP Session: a server side mechanism that will associate a bunch of data with a session id. Every time a session is invoked, it serializes/unserializes it. This could be more data than just a single key/value pair that a cookie supports, but the way of associating this data with a user is by creating a cookie (regular or session as described above) in their browser that contains the session id. This way, the right data can be retrieved for a given user based on the value of that cookie.
Both are super global, i.e, they can be used anywhere in the site.
Differences between sessions and cookies:
Cookies are stored in the browser (client side) while sessions are stored in the server (host).
Cookies are remembered till they are deleted while sessions are deleted when the user closes the tab/browser (depending on the browser).
Cookies can be seen by the user while sessions cannot.
Due to the reasons above, I would recommend to not store sensitive data in cookies and store the data that is to be remembered even after the user has left in cookies.
Cookie - Stored data in browser and will work on browser related and client side only...For example if you are trying to log in gmail account with username and password,After entered login successful if you close the current tab and after sometime opening same page the login page won't come it will open directly with login details..This is cookie..
Session - Stored data in server side for example same as cookie example after entered login details you will get notification as successful once you close the browser then open after some time it will ask again login details(more example shopping also)
I'm making a forum for learning mostly but hopefully it will have a couple of users some day.
What im wondering is should you use sessions or cookies for user authentication?
A cookie is a short piece of arbitrary data that the server sends through a header; the client stores it locally and sends it back on the next request. This mechanism can be used to maintain state from one request to the next even though HTTP itself is a stateless protocol. Cookies have two disadvantages: They offer only very limited amount of space (4 kB), and because they are sent back and forth in plain, a malicious client can fiddle with the contents before sending it back to the server, effectively making cookie data untrusted.
A session is a file on the server, identified by a unique ID which is sent back and forth between client and server so that the server can identify the client. The most popular way of sending the session ID is through the cookie mechanism, but it is also possible to pass the session ID through the URL (this is why you often see links that contain the URL parameter 'phpsessid'). This solves the two problems with cookies mentioned above: A file on the server can be as large as required, and the client cannot access the data other than through your own scripts.
Authentication is typically solved using cookie-based sessions; once authenticated, a new session is created, and the user ID is stored in it, and when logging out, the session is cleared and a new session ID is generated. Alternatively, you could store username and password in the session, and check them on every request.
Use a session.
A session is identified by a cookie, true, but not the same as storing user auth info in the client cookie, which is bad for security. A session cookie stores a guid or a hash in the cookie, then identifies the session (either database or file system based, depending on your server's php settings) based on that.
I recommend you store the primary key from your user table, not any other info, then look up the user info every time - this allows you to change their validation status, or security level on the fly while they are logged in; otherwise they will have to log out and back in before your administrative changes take effect for them - IE. you can't boot them.
Also, don't store the username/password, because that requires a less efficient query than by the indexed primary key (even if they are indexed as well).
They are essentially the same, working hand-in-hand. When you create a session..say through PHP, a cookie is created to store the session id too. On the other hand, you would create another cookie if you want to implement a "Remember Me" option to prevent your users from logging in every time.
I'm not a PHP expert, but Session and Cookie are related. In other programming languages you have the option of creating "Cookie based session" or "Cookie-less session". I'm not sure about PHP though so maybe you are referring to different concepts.
I feel using session is much more safe and easy then using cookies. The reasons are as follows:
1) In cookie we can only store a single piece of information, whereas in a session we can store as many information as we want.
2) Being stored on hard disk of user, cookies can be played with. Being a person interested in hacking, I have done that and gathered useful information about the user. Sessions cannot be used for such a thing.
If its a small amount of data (just one variable), I would use a cookie. Here is the code...
setcookie("cookie name", "cookie value or variable name", time+ 3600, "\");
this code sets a cookie that is readable for any of your webpages. It also will delete its self in one hour.
You can also see if the cookie exists like this (to see if it has deleted its self).
if (isset($_COOKIE['cookiename']))
{
}
to collect a value from a cookie...
$value = $_COOKIE['cookiename']; //makes a variable for this cookie for your program