Hi! I apologize.. Of course cookies are stored IN files. That was I meant. Best regards /Gustav Wiberg Ps. You should see what I meant, not what I typed ;-) -----Original Message----- From: Warren Vail [mailto:warren@xxxxxxxxxxxx] Sent: Wednesday, October 10, 2007 8:51 AM To: 'Gustav Wiberg'; 'Matthew Gonzales'; 'PHP-Windows Group' Subject: RE: Authentication Question! Gustav, Your statements are not entirely accurate, Cookies are stored IN files on the client HD and can be stored there for a while, they don't do anything to cause unspecified files to be stored as you seem to say. PHP sessions employ a cookie to store the session key, which is tranmitted with other data from the browser to the server, everytime a page from your domain is requested. At one time, not sure it still does, PHP used to add the key to the URL in the event that cookies were disabled by the visitor. Sessions allow you to store data on the server, and not send it to the browser, and have that same data available with each page request. If this is sensitive data, like a customers identity, that is a good thing, sending that information back and forth across the internet (as would be the case if stored in a cookie) provides opportunities for sniffer to capture it. If you use cookies for storing data on the visitors computer you might want to consider encrypting the data, since it would be availabe to anyone who gained access to his computer. When you use PHP sessions, by default the only thing stored on the visitors computer is the session key, but of course, you are free to send other cookies. The data elements you store in a session are actually stored on your server where you can protect them, and make the data persist at least as long as the session remains. A good way to learn about PHP session is to write database Session handler routines and track how they are used, pay close attention to the garbage cleanup routine which destroys old sessions. You will have to write a set of these routines if you have a high volume site with a load balancer in front of your web server, because if you use the file storage technique that comes with PHP, you may wind up storing your session data on one server and with the next request the visitor could be directed to a different server (you get the idea). Probably more than you wanted to know, Warren Vail -----Original Message----- From: Gustav Wiberg [mailto:gustav@xxxxxx] Sent: Tuesday, October 09, 2007 11:23 PM To: 'Matthew Gonzales'; 'PHP-Windows Group' Subject: RE: Authentication Question! Hi! For higher security it's generally better to use Sessions BECAUSE Cookies generally stores files on the client hd for a longer time, and it's therefore easier to get the password (if the password itself is not encrypted). My tip is to use sessions if it works. Uses cookies in other hand (It depends of the application what you need) Best regards /Gustav Wiberg -----Original Message----- From: Matthew Gonzales [mailto:matt323@xxxxxxx] Sent: Tuesday, October 09, 2007 8:23 PM To: PHP-Windows Group Subject: Authentication Question! Hello, Could some one offer their opinion one which is better to use when creating a password protected area, a $Cookie or a $Session. I have found alot of info on both and can't really make up my mind. I am running PHP and MySQL on IIS 6.0. Matt G -- Matthew Gonzales IT Professional Specialist Enterprise Information Technology Services University of Georgia Email: matt323@xxxxxxx <mailto:matt323@xxxxxxx> Phone: (706)542-9538 -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.14.5/1058 - Release Date: 2007-10-08 16:54 -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.14.6/1060 - Release Date: 2007-10-09 16:43 -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
