Re: So why do I need session?

[Mikael Grön <php@xxxxxxxx>]

As I said.
Cookies being completely insecure is as valid as Cookies not being as 
secure as Sessions.

... *sighs*

Though, there are ways to make cookies more secure, for example by 
storing copies of them with timestamps in a database and matching values 
before allowing users to pass... But that's more or less exactly what 
Sessions do, so there's really no use of Cookies for authentication.

Mike


Stut skrev:
> Mikael Grön wrote:
> > You can, only it's not as secure. It's easier to edit cookies since 
> > they're not stored on the server. Also cookies don't disappear when 
> > you close the browser, which is standard on other pages with login 
> > systems. Your users will expect to be logged out when closing the 
> > browser.
>
> "as secure"??? Cookies are not secure at all. There has been a *very* 
> lengthy discussion of this subject on the PHP-General mailing list. 
> Search the archives for a recent thread with the subject "Session 
> Authentication".
>
> -Stut
>
> > sam rumaizan skrev:
> > > It is a general question.
> > >   Why can't I use cookie instead?
> > >   Mikael Grön <php@xxxxxxxx> wrote:
> > >   Are you asking someone specifically, or is this a general question?
> > >
> > > Here's an example of when sessions are useful:
> > > You have a login area on your website on which users who have 
> > > registered can log in to access special content. Only, you want such 
> > > a high security on your website so that people shouldn't be able to 
> > > simply browse to the hidden files, nor should a user still be logged 
> > > in when his friend uses his computer and starts a fresh browser. 
> > > Here's where sessions are perfect! You store the userId or similar 
> > > information in the session and start every secret page with the 
> > > question:
> > >
> > > if (!isset($_SESSION['userId']) || 
> > > !CoolCheckUserValidityFunction($_SESSION['userId'])):
> > > header("Location: login.php");
> > > exit;
> > > else:
> > > $GLOBALS[USER] = new User($_SESSION['userId']);
> > > endif;
> > >
> > > of course you should not do that check in login.php... :P
> > >
> > > Mike
> > >
> > > PS: That $GLOBALS[USER] and the User class part is my own stuff.. 
> > > Dunno if anyone else does stuff like that.. :P
> > >
> > >
> > > sam rumaizan skrev:
> > >  
> > > > You use a session to store values that are required over the course 
> > > > of a single visit, and a cookie to store more persistent data that 
> > > > is used over multiple visits. Session: when you close the browser 
> > > > the session gets flushed. Which means the browser will not 
> > > > recognize the user next time he/she browse the page unlike cookie.
> > > >
> > > > So why do I need session? OR maybe I didn’t understand session
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ---------------------------------
> > > > Looking for earth-friendly autos? Browse Top Cars by "Green Rating" 
> > > > at Yahoo! Autos' Green Center.
> > > >     
> > >
> > >
> > >
> > >
> > >
> > >  
> > >
> > >        ---------------------------------
> > > The fish are biting.
> > >  Get more visitors on your site using Yahoo! Search Marketing.
> > >   

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php