On Saturday 24 June 2006 09:51, John Meyer wrote: > BTW, I have a question: which is the preferred way to handle variables > on the client side: cookies or sessions? Or are there situations where > one should be used and the other should be used in these other situations. If it's a variable that you want the user to be able to hold onto for days, weeks, or months at a time (such as a "remember me" function for blog comments, for example), then use cookies, but NEVER store a username or password, even encrypted, in a cookie. For everything else, use PHP's session handling, particularly the cookie-saved version. Remember, cookies are user-supplied data. That means it is not to be trusted. A session key is hard to hijack, or at least harder than it is to fake a non-random-key cookie. It's easier to hijack if it's in the URL GET string rather than a cookie. -- Larry Garfield AIM: LOLG42 larry@xxxxxxxxxxxxxxxx ICQ: 6817012 "If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it." -- Thomas Jefferson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
