Kelvin, Sessions is just one of the items recommended for an e-commerce website. I seem to recall that if cookies were not enabled that there was a way of passing the session id in the URL as a "Get" parameter. Basically you will store the items to be purchased in a special table and a shopper ID or cart ID number will be assigned with the first selected item and needs to be retained to be able to recall the selected items when the shopper is ready to check out. A session variable is a good place to store this id, but it could also be passed in the form as a hidden field. A session is also a convenient way of providing a generic storage of the items to be purchased, separate table is possibly more common. You don't have to be too concerned about security up to the point where someone begins to check out when you begin gathering personal information from the buyer. Give it some thought, but I suspect in most cases that if someone were to capture a session at this point, the worse that could happen is they would both order and pay for the same items. When you gather personal information it becomes a different matter, and at this point I would first recomment you consider passing your order items to a resource like paypal and let them collect the personal information. If that is not possible you will want to switch to SSL communication with the browser before when you present your form for the personal information, and even in this mode I would recommend that if you detect errors on the forma and need to represent the form for the buyer to correct info, toss away the credit card info and have them reenter it. You do not want to store this in your session, or anywhere on your system without really secure incryption (I'm talking about the DB side here, not the SSL channel to the browser). Once you begin collecting personal information (and this is not limited to the obvious like social security numbers), you should make sure the session cannot be hijacked, to prevent identity theft, this is where cookies work so well. Anyone who doesn't allow cookies is forcing you into a situation where you must expose their session information in the URL or a hidden field on the form where it can be hijacked, in which case I would refuse to have them as a customer, it's not worth the risk. Hope this helps, Warren -----Original Message----- From: Kelvin Park [mailto:kelvinpark86@xxxxxxxxx] Sent: Friday, August 17, 2007 3:02 PM To: php-general@xxxxxxxxxxxxx Subject: About Session And Cookies I am trying to setup a secure login system. I've heard that if I use just cookies for login, members without cookie turned out won't be able to see the member pages. Is using session recommended for e-commerce websites with shopping carts? Or, using both of them might be more effective in some way. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
