Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    204
    Rep Power
    2

    Session or Cookie?


    Hi. I'm building a website that will be used on an event. People have to be able to register when they open the site and they can post forum topics or images from that account..

    It's an event that lasts 2 days. But when people close internet they shouldn't have to recreate an account..

    any ideas? thanks!
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,965
    Rep Power
    9397
    Sessions last as long as their cookies last, which is typically just the session but there's no reason they can't last longer. The difference is whether you need to remember sensitive information, and the answer is "yes" because you're talking about people logged into accounts.

    Are you going to allow people to log in? If not, what if they try to access the site from a different place than they signed up?
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    204
    Rep Power
    2
    Originally Posted by requinix
    Sessions last as long as their cookies last, which is typically just the session but there's no reason they can't last longer. The difference is whether you need to remember sensitive information, and the answer is "yes" because you're talking about people logged into accounts.

    Are you going to allow people to log in? If not, what if they try to access the site from a different place than they signed up?
    They each get one ipad at the beginnig. So first time they should create an account but after that the information should be remembered. Even if browser is closed. Thanks for the response!
  6. #4
  7. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    It's not usually a good idea to rely on PHP sessions lasting longer than a browser session. The session garbage collector is liable to wipe out your session data, so even if your session cookie still exists, the data associated with it might be gone. The expiration date on the session cookie is set per-session in the client cookie, but the expiration date for the data on the server is not set at all, so all it takes is accidentally invoking one PHP script with an unmodified garbage collection time and you will wipe all of your long-lasting sessions.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  8. #5
  9. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    204
    Rep Power
    2
    Originally Posted by E-Oreo
    It's not usually a good idea to rely on PHP sessions lasting longer than a browser session. The session garbage collector is liable to wipe out your session data, so even if your session cookie still exists, the data associated with it might be gone. The expiration date on the session cookie is set per-session in the client cookie, but the expiration date for the data on the server is not set at all, so all it takes is accidentally invoking one PHP script with an unmodified garbage collection time and you will wipe all of your long-lasting sessions.
    Ok.. don't understand much of it but i get the essence! So i should go for cookies then? so that their info is kept on the device for at least 10 hours?
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    simply set the session cookie lifetime and the session lifetime in the php.ini to whatever time you need.

    I don't see how you could accidentally kill the session like E-Oreo says. This would require you to explicitly change the lifetime in any of your scripts -- why would you do that?

    The alternative would to reimplement the whole session mechanism, which doesn't sound like a good idea.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    The easiest way to accomplish what you want is to override the session handling of PHP to not garbage-collect session files so quickly. Don't try to roll your own auto-login system or anything, you'll most likely get it wrong and compromise your users' security.

    Never store actual sensitive information in a cookie.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  14. #8
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    204
    Rep Power
    2
    I used the php function setcookie, the moment the user gets created.. Then the other pages check if the cookie exists, if not redirects to the login page.
  16. #9
  17. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    what's IN the cookie?
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  18. #10
  19. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    204
    Rep Power
    2
    Originally Posted by ManiacDan
    what's IN the cookie?
    the user id from the database created upon registration.
    using PDO'S lastInsertID
  20. #11
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Cool, so I can login as any user I want?

    No, seriously: Mistakes like this are exactly the reason why both ManiacDan and I told you not to invent your own session mechanism. Use the one by PHP and change the time setting. Otherwise, I fear bad things will happen.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  22. #12
  23. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    204
    Rep Power
    2
    Originally Posted by Jacques1
    Cool, so I can login as any user I want?

    No, seriously: Mistakes like this are exactly the reason why both ManiacDan and I told you not to invent your own session mechanism. Use the one by PHP and change the time setting. Otherwise, I fear bad things will happen.
    How can i login as any user i want? You enter your name, email adress. when u click submit a profile for you is added to the databae, that id is stored in a cookie..

    it's an event and every user has it's own ipad. don't understand how things could go wrong here?
  24. #13
  25. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by notflip
    that id is stored in a cookie..
    That's the problem. What prevents me from changing the ID in the cookie from, say, 5 to 4? I'd suddenly be logged in as user 4, while I'm actually user 5. I could masquerade as any user I want and steal all their data.

    Not sure if your customer would be happy about that. So before things go wrong, stop it and use the PHP sessions. In contrast to 99% of all home-made sessions, they actually work.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  26. #14
  27. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    Originally Posted by notflip
    How can i login as any user i want?
    Change the userID in the cookie.

    Originally Posted by notflip
    I don't understand how things could go wrong here?
    Famous last words. If you don't understand something, don't write your own version of that thing.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  28. #15
  29. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    204
    Rep Power
    2
    Originally Posted by Jacques1
    That's the problem. What prevents me from changing the ID in the cookie from, say, 5 to 4? I'd suddenly be logged in as user 4, while I'm actually user 5. I could masquerade as any user I want and steal all their data.

    Not sure if your customer would be happy about that. So before things go wrong, stop it and use the PHP sessions. In contrast to 99% of all home-made sessions, they actually work.
    Ok thanks for the info. I know how sessions work, but i need to user to stay logged in even after he/she closes the browser..
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo