Related
Are cookies necessary to create a login page with php (that keeps you logged in across several pages), or could a session variable do the trick without use of cookies?
Answer simply is yes.
Sessions rely on a session id.
Sessions in php use a cookie to store this id, but you can change it to append the id to each url instead of saving it in cookies.
ini_set('session.use_cookies', false);
in the config variable url_rewriter.tags, you see which URLs automatically get rewritten to append this id:
"a=href,area=href,frame=src,form=,fieldset="
As Pekka mentions, jQuery requests and special JS/Ajax/jQuery calls are not getting rewritten by default and you have to append the id manually like:
<script>
$.get('/yourpage/?PHPSESSID=<?php echo session_id(); ?>');
</script>
the session name can be obtained via session_name();, default is in the config variable: session.name.
Use ini_get(); or phpinfo(); to see your configuration.
Actually if you are using sessions you can use a cookie or a special GET/POST fields to identify yourself towards the server. The server then using the user id, passed either by GET/POST or a cookie - knows which data set is connected to the current user/client at server side. This way using sessions you can store data at server side with only sending a special user id to the client.
This way you can save login data for each user, thus login functionality can be implemented using sessions in PHP.
And yes, you can solve login with no other cookie just the Session user ID, or use the POST/GET session id.
Typically sessions are more reliable when working with keeping a user logged in. Sessions are stored on the server, whereas cookies are stored client sided. So that falls down to: do you want your login dependent on something the client can control and manipulate?
I've had first hand issues with logins being hacked with cookies, so I suggest sessions.
No, you do not need cookies in order to set up a login system, sessions suffice. However, if you seek a "Remember me" option, you need cookies in order to keep the user logged in beyond the point when the user closes the browser or the session expires.
http://www.php.net/manual/en/features.sessions.php
For maintaining a session with server, you need to identify yourself (your page) to server. So that server can keep track of your page's subsequent request and maintain a session.
So, if you only have username and password option on your login page, then cookies may not be required. Refer to the following link:
Passing the Session ID from page to Server
You can have a special URL which will have identifier as part of URL, which will inform server about your subsequent request.
However, please note that using this type of special URL is not always the recommended approach. Because this is insecure than cookie based session. For example, someone may paste their own link on a chat or in an email, and other person will be entered to your site without username/password.
You can do authentication without cookies (or sessions which are a special case of cookies) but it won't be on a page. This method is called HTTP Authentication.
I have a weird problem. I have a web page, that on the main page sets a session variable for each user that visits, and then on the next pages if the session variable is set, some stuff is shown, and some other isn't. The variable i'm setting is just an "1".
$_SESSION['user_id'] = $user_id;
Everything is simple, everything is working great, but I have this one user, that the server doesn't save the session variable for. Just one guy as far as I know. What can be causing this behaviour? He is using a mac if that matters, but on other macs the website works great.
Thanks.
When you call session_start() PHP sets a cookie with just the PHPSESSID variable set. This variable is used to identify the client browser with the session data on the server. If your user has disabled cookies, then it is not possible to use sessions without passing PHPSESSID back and forth in every request via GET or POST.
HTTP is a stateless protocol. IF session would be only in server side, how could it be able to distinguish between users?
[HTTP is a stateless protocol means: HTTP requests are responded from the server, and it forgets who sent the request, where did that come from.]
This is why cookies are storing the session ids.
In other words, if a user is disabling the cookies, he is not allowing PHP to set the session for himself. This is the reason behind.
What is the distinction between Sessions and Cookies in PHP?
A cookie is a bit of data stored by the browser and sent to the server with every request.
A session is a collection of data stored on the server and associated with a given user (usually via a cookie containing an id code)
Cookies are used to identify sessions. Visit any site that is using cookies and pull up either Chrome inspect element and then network or FireBug if using Firefox.
You can see that there is a header sent to a server and also received called Cookie. Usually it contains some personal information (like an ID) that can be used on the server to identify a session. These cookies stay on your computer and your browser takes care of sending them to only the domains that are identified with it.
If there were no cookies then you would be sending a unique ID on every request via GET or POST. Cookies are like static id's that stay on your computer for some time.
A session is a group of information on the server that is associated with the cookie information. If you're using PHP you can check the session.save_path location and actually "see sessions". They are either files on the server filesystem or backed in a database.
The main difference between a session and a cookie is that session data is stored on the server, whereas cookies store data in the visitor’s browser.
Sessions are more secure than cookies as it is stored in server. Cookie can be turned off from browser.
Data stored in cookie can be stored for months or years, depending on the life span of the cookie. But the data in the session is lost when the web browser is closed.
Cookie
is a small amount of data saved in the browser (client-side)
can be set from PHP with setcookie and then will be sent to the client's browser (HTTP response header Set-cookie)
can be set directly client-side in Javascript: document.cookie = 'foo=bar';
if no expiration date is set, by default, it will expire when the browser is closed.
Example: go on http://example.com, open the Console, do document.cookie = 'foo=bar';. Close the tab, reopen the same website, open the Console, do document.cookie: you will see foo=bar is still there. Now close the browser and reopen it, re-visit the same website, open the Console ; you will see document.cookie is empty.
you can also set a precise expiration date other than "deleted when browser is closed".
the cookies that are stored in the browser are sent to the server in the headers of every request of the same website (see Cookie). You can see this for example with Chrome by opening Developer tools > Network, click on the request, see Headers:
can be read client-side with document.cookie
can be read server-side with $_COOKIE['foo']
Bonus: it can also be set/get with another language than PHP. Example in Python with "bottle" micro-framework (see also here):
from bottle import get, run, request, response
#get('/')
def index():
if request.get_cookie("visited"):
return "Welcome back! Nice to see you again"
else:
response.set_cookie("visited", "yes")
return "Hello there! Nice to meet you"
run(host='localhost', port=8080, debug=True, reloader=True)
Session
is some data relative to a browser session saved server-side
each server-side language may implement it in a different way
in PHP, when session_start(); is called:
a random ID is generated by the server, e.g. jo96fme9ko0f85cdglb3hl6ah6
a file is saved on the server, containing the data: e.g. /var/lib/php5/sess_jo96fme9ko0f85cdglb3hl6ah6
the session ID is sent to the client in the HTTP response headers, using the traditional cookie mechanism detailed above: Set-Cookie: PHPSESSID=jo96fme9ko0f85cdglb3hl6ah6; path=/:
(it can also be be sent via the URL instead of cookie but not the default behaviour)
you can see the session ID on client-side with document.cookie:
the PHPSESSID cookie is set with no expiration date, thus it will expire when the browser is closed. Thus "sessions" are not valid anymore when the browser is closed / reopened.
can be set/read in PHP with $_SESSION
the client-side does not see the session data but only the ID: do this in index.php:
<?php
session_start();
$_SESSION["abc"]="def";
?>
The only thing that is seen on client-side is (as mentioned above) the session ID:
because of this, session is useful to store data that you don't want to be seen or modified by the client
you can totally avoid using sessions if you want to use your own database + IDs and send an ID/token to the client with a traditional Cookie
A session is a chunk of data maintained at the server that maintains state between HTTP requests. HTTP is fundamentally a stateless protocol; sessions are used to give it statefulness.
A cookie is a snippet of data sent to and returned from clients. Cookies are often used to facilitate sessions since it tells the server which client handled which session. There are other ways to do this (query string magic etc) but cookies are likely most common for this.
Cookies are stored in browser as a text file format.It stores limited amount of data, up to 4kb[4096bytes].A single Cookie can not hold multiple values but yes we can have more than one cookie.
Cookies are easily accessible so they are less secure. The setcookie() function must appear BEFORE the tag.
Sessions are stored in server side.There is no such storage limit on session .Sessions can hold multiple variables.Since they are not easily accessible hence are more secure than cookies.
One part missing in all these explanations is how are Cookies and Session linked- By SessionID cookie. Cookie goes back and forth between client and server - the server links the user (and its session) by session ID portion of the cookie.
You can send SessionID via url also (not the best best practice) - in case cookies are disabled by client.
Did I get this right?
Session
Session is used for maintaining a dialogue between server and user.
It is more secure because it is stored on the server, we cannot easily access it.
It embeds cookies on the user computer. It stores unlimited data.
Cookies
Cookies are stored on the local computer. Basically, it maintains user identification, meaning it tracks visitors record. It is less secure than session.
It stores limited amount of data, and is maintained for a limited time.
Hi I would like to know the difference between a php session and a cookie
The main difference being that session data is stored on the server, while cookie data is stored on the client. Therefore, a client can easily modify the cookie contents, but will have to work way harder to modify the session contents.
Cookies are a means to store information in the end-user's browser, so that the server can track the end-user.
Sessions are also implemented by using cookies, but the actual data is not in the browser; rather, it is stored in the user's session record on the server. In the case of sessions, cookies are used to identify a particular end-user's session identifier on the server records. Hence, they are a more secure way of storing user information.
A cookie is a ~piece of data stored on the client side.
Data stored in session is stored on the server side, and the various sessions are identified by cookies.
There are session and Cookies, both are used to store values or data. But there are some key differences between session and cookie: a cookie stores the data in your browser and a session is stored on the server. Cookie data is available in your browser up to expiration date and session data available for the browser run, after closing the browser we will lose the session information.
A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each time the same computer requests a page with a browser, it will send the cookie too.
A session variable is used to store information about, or change settings for a user session. Session variables hold information about one single user, and are available to all pages in one application.
A cookie is an unique information that the user sends to the web server with each request in order to identify him. This unique id could be used to store information about this specific user on the server (session).
Cookies will only expire on expiry time or if you explicitly clean cookie / cache of your browser. Cookies will retain into the system even after you open your browser next day.
Cookies are stored on client's system so they are less secure.
Session will expire on its expiry time or if the browser has been closed. As session is stored on server so it is more secure.
So for a login module, a combination of session and cookie should be used
Cookies stored client side but session stored server side.
cookies is without sign out of the your email account and close it. once again can not enter username and password but your email account is open.
session is close the webpage once again open to starting page appier
best example to illustrate the difference bet. Session and Cookies is:-
when you Login as a member in any Site it Creates Sessions until you log out...
that is Session..
and Cookies when you browse websites the are stored on your computer's Main Memory that is Cookies
i-e Session is Server side
and cookies is Client side
We got three differences in general. The key difference would be cookies are stored in client side and sessions are stored in server side. The second difference would be cookies can only store strings. We can store our objects in sessions. Storing objects in sessions were really useful according to my experience. Another difference was that we could be save cookie for future reference, but session couldn’t. When users close their browser, they also lost the session.
PHP Sessions
PHP has built-in functions to save session variables. The variables are stored in state files. These state files need not be explicitly created and managed. The following are the steps for saving and retrieving values of session variables.
The setcookie() command must be issued before any printed output occurs because the cookie must be written as part of the HTTP header. PHP automatically parses any HTTP_COOKIE string into an associative array $_COOKIE. The value of the cookie can be retrieved from the cookie thus:
$_COOKIE["some_var"]
Cookie: A key/value pair that is stored by the user's browser and is available in the superglobal $_COOKIE array available in PHP. The cookie request is initiated with an explicitly defined expiration date. For example:
setcookie('cookieName', $some_value, time()+3600, "/", ".example.com")
On the next server request, $_COOKIE['cookieName'] will be available. If you use a browser tool to look at the cookie, it will have an expiration date.
Session Cookie: Identical to the above but defined without an expiration date. If you use the same browser tool it will say that the cookie expires at the end of the session; which is ultimately when you close your browser. For example:
setcookie('cookieName', $some_value);
PHP Session: a server side mechanism that will associate a bunch of data with a session id. Every time a session is invoked, it serializes/unserializes it. This could be more data than just a single key/value pair that a cookie supports, but the way of associating this data with a user is by creating a cookie (regular or session as described above) in their browser that contains the session id. This way, the right data can be retrieved for a given user based on the value of that cookie.
Both are super global, i.e, they can be used anywhere in the site.
Differences between sessions and cookies:
Cookies are stored in the browser (client side) while sessions are stored in the server (host).
Cookies are remembered till they are deleted while sessions are deleted when the user closes the tab/browser (depending on the browser).
Cookies can be seen by the user while sessions cannot.
Due to the reasons above, I would recommend to not store sensitive data in cookies and store the data that is to be remembered even after the user has left in cookies.
Cookie - Stored data in browser and will work on browser related and client side only...For example if you are trying to log in gmail account with username and password,After entered login successful if you close the current tab and after sometime opening same page the login page won't come it will open directly with login details..This is cookie..
Session - Stored data in server side for example same as cookie example after entered login details you will get notification as successful once you close the browser then open after some time it will ask again login details(more example shopping also)
I am in need of session variable must be exist even after browser closed or system shutdown.
But in my page it will not support session scope between browsers that is at first i signin with firefox while i login with chrome browser it comes to login page . Why these happen . Please any body help me to solve this problem.
Thanks and Regards,
Alagar Pandi.P
alagar.pandi#gmail.com
Session scope between browsers is not possible. Sessions are identified by a token, which must first be given to the user, and then passed back later by the browser in some form. Generally this is done with cookies, although it can also be done by appending the token to URLs as the visitor browses around the site.
Since web browsers are separate pieces of software with their own methods of handling cookies, you cannot share cookies between browsers, and therefore you cannot share cookie-based sessions. It is possible to copy-and-paste a URL from a web site that contains a session token into another browser and continue the session there, but most sites use cookies, so this is not often possible, and it certainly doesn't accomplish what you would like to do.
What you ask is generally considered impossible, but also usually not an issue. On the plus side, it is also a process generally understood by most users. Users do not expect to log in to a site with one browser, and then boot up another and still be logged in.
session expiry between browser and
after browser or system shutdown ?
Neither after browser close nor system shutdown
Session is expired when its get timeout on server side, and it depends on each web server settings, for example, after 20 mintues.
Cookies are the only way to track users. They can either be persistent or not. If a cookie is persistent it is stored in the user's computer as a file and has an expiration date but only the browser that created it will be able to access it again. There's no way to achieve cross-browser cookies.
Then you should use. Client side cookies rather than session variables.
Session exists only until the browser close or system shutdown.
If you still want to proceed with session variable, then store the session value in the DB and whenever the login page loads check the db if the user hasn't signed out manually, if yes then show him main page otherwise show hime the login page.