Sessions or cookies?

I'm making a forum for learning mostly but hopefully it will have a couple of user开发者_Python百科s some day.

What im wondering is should you use sessions or cookies for user authentication?

---

A cookie is a short piece of arbitrary data that the server sends through a header; the client stores it locally and sends it back on the next request. This mechanism can be used to maintain state from one request to the next even though HTTP itself is a stateless protocol. Cookies have two disadvantages: They offer only very limited amount of space (4 kB), and because they are sent back and forth in plain, a malicious client can fiddle with the contents before sending it back to the server, effectively making cookie data untrusted.

A session is a file on the server, identified by a unique ID which is sent back and forth between client and server so that the server can identify the client. The most popular way of sending the session ID is through the cookie mechanism, but it is also possible to pass the session ID through the URL (this is why you often see links that contain the URL parameter 'phpsessid'). This solves the two problems with cookies mentioned above: A file on the server can be as large as required, and the client cannot access the data other than through your own scripts.

Authentication is typically solved using cookie-based sessions; once authenticated, a new session is created, and the user ID is stored in it, and when logging out, the session is cleared and a new session ID is generated. Alternatively, you could store username and password in the session, and check them on every request.

---

Use a session.

A session is identified by a cookie, true, but not the same as storing user auth info in the client cookie, which is bad for security. A session cookie stores a guid or a hash in the cookie, then identifies the session (either database or file system based, depending on your server's php settings) based on that.

I recommend you store the primary key from your user table, not any other info, then look up the user info every time - this allows you to change their validation status, or security level on the fly while they are logged in; otherwise they will have to log out and back in before your administrative changes take effect for them - IE. you can't boot them.

Also, don't store the username/password, because that requires a less efficient query than by the indexed primary key (even if they are indexed as well).

---

They are essentially the same, working hand-in-hand. When you create a session..say through PHP, a cookie is created to store the session id too. On the other hand, you would create another cookie if you want to implement a "Remember Me" option to prevent your users from logging in every time.

---

I'm not a PHP expert, but Session and Cookie are related. In other programming languages you have the option of creating "Cookie based session" or "Cookie-less session". I'm not sure about PHP though so maybe you are referring to different concepts.

---

I feel using session is much more safe and easy then using cookies. The reasons are as follows:

1) In cookie we can only store a single piece of information, whereas in a session we can store as many information as we want.

2) Being stored on hard disk of user, cookies can be played with. Being a person interested in hacking, I have done that and gathered useful information about the user. Sessions cannot be used for such a thing.

---

If its a small amount of data (just one variable), I would use a cookie. Here is the code...

   setcookie("cookie name", "cookie value or variable name", time+ 3600, "\");

this code sets a cookie that is readable for any of your webpages. It also will delete its self in one hour.

You can also see if the cookie exists like this (to see if it has deleted its self).

    if (isset($_COOKIE['cookiename']))
    {

    }

to collect a value from a cookie...

    $value = $_COOKIE['cookiename']; //makes a variable for this cookie for your program