Jump to content
xisto Community
FirefoxRocks

Php Sessions

Recommended Posts

I'm wondering what's the best way to implement a user login functionality. Should I be using PHP sessions or some other thing like whatever CodeIgniter is doing? (http://www.codeigniter.com/user_guide/libraries/sessions.html)I have already developed the authentication part of the login system by using OpenID however I am having difficulting developing the session part of the user login. I don't want to start off wrong and then have to do a complete overhaul (of even just one class or aspect of the application) because I started off wrong.

Share this post


Link to post
Share on other sites

I have noticed that most of the web apps are using some sort of web framework like codeigniter. All of them are handling sessions by some crtypitc way, atleast to me. I don't see any of them using sessions with typical php session handling way. Then again it all depends on your project. If you're coding from scratch then it is always better to test with something that php offers. Then you can go ahead with the web framework way.By the way, I was kinda confused about how the frameworks or our own code can be used to set the timed sessions. I have seen few payment processors using that type of feature. For example, say liberty reserve that logs you in for 15 minutes and then session gets expired in some time. So that is why the question is, how those sessions are handled by code. I am not sure if these types of sites are using codeigniter, mostly their own custom framework and code.This is an interesting topic, I would see some other responses with code. That will clarify everything for those who have less idea about sessions.

Share this post


Link to post
Share on other sites

Isn't this simply a cookie on your PC ? The age of this cookie says the age of your session?

I think sessions are different than cookies. I am not an expert php devloper but I tend to look around for various help topics about php development. And according to my information, a cookie is stored on user machine while a session is stored on the server. That is the main difference between the two.
And this difference makes sessions more reliable and safe to be used with login type of scenarios. Cookies can be used to but I think nowadays there use has been reduced to sites that don't require high level of safety and that allow users to remain signed in for long periods of time (like many months).

I don't remember the exact place where I read it but I read that it is better to use a mix up of both. For instance one should use sessions for authentication and other safety related stuff and then cookies to allow long term login support.

Share this post


Link to post
Share on other sites

I think sessions are different than cookies. I am not an expert php devloper but I tend to look around for various help topics about php development. And according to my information, a cookie is stored on user machine while a session is stored on the server. That is the main difference between the two.And this difference makes sessions more reliable and safe to be used with login type of scenarios. Cookies can be used to but I think nowadays there use has been reduced to sites that don't require high level of safety and that allow users to remain signed in for long periods of time (like many months).

I don't remember the exact place where I read it but I read that it is better to use a mix up of both. For instance one should use sessions for authentication and other safety related stuff and then cookies to allow long term login support.


PHP sessions work by putting a cookie on your computer with which it identifies you, when you start a session with PHP, you send a cookie for the sessions to identify you and select the correct session which is stored in the server sessions folder, that session will expire depending on the cookie.

If cookies are disabled on the browser, PHP use PHPSESID and put it in all the links in your site, whenever you click a link, you also click the session id parameter in the URL and from that string, the PHP sessions identifies you, it's really a quite bad practice, because you can give that link to someone else and it identifies it as if it was you, which is quite a security risk, that is why usually in sessions, the encrypted string encrypts your ip address and checks it, so if you use one IP and the person who spoofed your data and got the cookie or phpsesid won't be able to use it, because he is on a different IP.

But that is also annoying, because Today, people use laptops, or mobile devices, they have a changing IP, once they use the Internet in the university, after few hours they use it at home and etc. their IP is changing and they always need to login, because of that all the frameworks have a quite secure mechanism which makes your sessions quite save and that is how you need to use it, PHP sessions algorithm is also using something like that, but when you create your custom login with sending a cookie, you don't use these algorithms if you don't know about them, so be careful. :)

Share this post


Link to post
Share on other sites

PHP sessions work by putting a cookie on your computer with which it identifies you, when you start a session with PHP, you send a cookie for the sessions to identify you and select the correct session which is stored in the server sessions folder, that session will expire depending on the cookie.

If this is right then I think I have to seriously think about what I was actually doing when I was appearingly listening to the PHP tutorials. My thought on session and cookies was that the session is file is stored on the server and the cookie file is stored on the user machine. For your discussion, I guess my knowledge was incomplete. The session file do exist on server but a cookie is needed for it as well. I hope I get it this time correctly.

If cookies are disabled on the browser, PHP use PHPSESID and put it in all the links in your site, whenever you click a link, you also click the session id parameter in the URL and from that string, the PHP sessions identifies you, it's really a quite bad practice, because you can give that link to someone else and it identifies it as if it was you, which is quite a security risk, that is why usually in sessions, the encrypted string encrypts your ip address and checks it, so if you use one IP and the person who spoofed your data and got the cookie or phpsesid won't be able to use it, because he is on a different IP.

I am unable to make a decision on which one is more secure: sessions or cookies? Can you please talk about this a bit more....... I have heard (or read) somewhere that sessions are more secure than the cookies because the file that has most of the information resides on the server and thus access to the file is limited. On the ohter hand, because the cookie file resides on the user machine, access to it is relatively easier and the chances of leaking out of secret information are much greater.
What do you have to say about this?

Share this post


Link to post
Share on other sites

If this is right then I think I have to seriously think about what I was actually doing the session is file is stored on the server and the cookie file is stored on the user machine.

I would say that a session is a process, or a thread, rather than a file. A file could be helpful for that purpose, for instance a socket, but I associate a session to a process rather than to a file.

Share this post


Link to post
Share on other sites

Sessions are stored on the server, every "user" which gets a session on a server, gets a unique identification on the browser, usually in a form of a cookie.So for sessions to work, you need cookies which stores your session id.PHP sessions are safe, but not as safe as some implementations of user login systems in some products, which use some extra things, but I guess it's much better to start a session and use it for authentication, but for example if you want to make the user be able to stay logged on for a year, you would need to create your own cookie with some kind of identification to that user, like a hashed username and password with salt and maybe even an ip address, it depends what you want, because cookies can be stolen. IF a cookie can be stolen, so a session can be stolen too, but in my opinion for most things PHP sessions are enough.To store information in a session in my opinion is much better than storing everything in a lot of cookies on the client browser which can be spoofed and usually you store information in a cookie with information which isn't very important or in a one way hash which you can only check, but not read and show.

Edited by Quatrux (see edit history)

Share this post


Link to post
Share on other sites

because cookies can be stolen. IF a cookie can be stolen, so a session can be stolen too,


I am not an expert PHP developer, nor do I have much knowledge about server side stuff. But I remember one tutorial about php sessions and cookies where the demonstrator mentioned somewhat similar stuff. What I learnt from that tutorial was that cookies reside on the user computer while sessions on the server. And this very fact makes sessions a little bit more secure than the cookies. User machines can easily be compromised through social connections and cookies can be stolen from them, which eventually can be used to find out restricted information about the user. But sessions are stored on the server, and because server is a "server" and only certain individuals have direct access to it, the security cannot be compromised through social connections easily. So data on server, according to this philosophy, is more secure than data on user machine.

There might be another side of the picture. Servers are prone to more hacker attaches than user machines because they are always connected to lots of people from different parts of the world and the connection is available 24x7. On the other hand, getting backdoor access to a user machine might be extremely difficult if the user does have some knowlege of internet security.

So the eventual fact remains that nothing in the digital world is safe and everything has a vulnerability that can be exploited.

Share this post


Link to post
Share on other sites

User machines can easily be compromised through social connections and cookies can be stolen from them, which eventually can be used to find out restricted information about the user. But sessions are stored on the server, and because server is a "server" and only certain individuals have direct access to it, the security cannot be compromised through social connections easily. So data on server, according to this philosophy, is more secure than data on user machine.


With the stolen cookie which has the session id you can access that session as if you were that unique user, but some security mechanisms exists, that it's not so easy to give cookies away and use it for others to use the same session, cookie is nothing more than a http header information. But of course, as I said, it's more secure to store data on the server and only the id to that data on the user computer rather than all the data in different cookies.

Share this post


Link to post
Share on other sites

And i agree with you completely.At this point i think it would also be usefuk if you talked a little bit more about the extra and advanced techniques that big companies like facebook and google use. It might be very interesting because they have to maintain a very delicate balance betweem user security and convenience. more security could potentially mean unhappy users and.more convenience could result in unauthorized access that ciuld be gained easily..... complete nightmare

Share this post


Link to post
Share on other sites

I am not so experienced to know what facebook or google is using, but for example, as I know wordpress doesn't use sessions at all, the use GET variables for everything and a cookie for authorizing a user and they don't store anything more, but that might be old news?

Also, one of the best practice is to regenerate the session id after user logins or something like that, you can use php function:

http://php.net/manual-lookup.php?pattern=manuagenerate-id.php〈=en&scope=404quickref

Some other bigger products store sessions in a database of some kind or even better in memcached, but that's a different story, because that session data needs to work on different processing machines or multiple servers, but if you just have one server, a simple website, I think a simple PHP session is quite save with the regeneration of the session id is enough.

Don't use cookies yourself and use sessions, but it depends on your needs, you can always use your own session handler.

Here is some more reading about PHP sessions:

http://shiflett.org/articles/the-truth-about-sessions

Edited by Quatrux (see edit history)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.