Home > Archive > PHP Programming > December 2005 > sessions vs cookies
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
sessions vs cookies
|
|
| Atte André Jensen 2005-12-09, 7:59 am |
| Hi
I'm developing a site where I'd like to store information during a users
visit. So far I've been using sessions, but as far as I can tell it's
not possible to control for how long a session is valid. It seems that
these information are valid until the browser closes.
On the other hand it's possible to set expiration time for cookies.
Does this mean that I have to abanbon $_SESSION altogether and switch to
$_COOKIE for storing information? Or can/should they be coupled in some way?
In other words: are sessions and cookies conceptually an either-or or
are they supposed to supplement each other?
Thanks in advance for any reply...
--
peace, love & harmony
Atte
http://www.atte.dk
| |
| Juha Suni 2005-12-09, 7:01 pm |
| Atte André Jensen wrote:
> Hi
>
> I'm developing a site where I'd like to store information during a
> users visit. So far I've been using sessions, but as far as I can
> tell it's not possible to control for how long a session is valid. It
> seems that
> these information are valid until the browser closes.
>
Sessions use cookies. The cookies are used to store the users Session ID.
These cookies by default have their lifetime set to 0 (meaning that the
cookie expires when the browser is closed). You can change this from php.ini
with session.cookie_lifetime, or using the
session_set_cookie_params -function from within the script.
See
http://www.php.net/session
and
http://www.php.net/manual/en/functi...okie-params.php
Please note that these settings only affect the cookie. While the cookie
might persist in the browser (if it is kept open for a long time), the
actual session data stored on the server might be gone. By default the PHP
garbage collection clears up sessions that have not been used for 24
minutes. To change sessions lifetimes use session.gc_maxlifetime in php.ini.
Please note that even this might not be enough if some other scripts, with
smaller timeouts, use the same folder for storing the session data (Their
garbage collection would trash session files in the folder according to
their timeout rules). To avoid this, you would need to set the script to use
a different session save path (session.save_path).
Usually sessions are all you need. Setting the session timeout to higher
than 24 minutes takes a few steps but is not a problem.
HTH
--
Suni
| |
| Gordon Burditt 2005-12-09, 7:01 pm |
| >I'm developing a site where I'd like to store information during a users
>visit. So far I've been using sessions, but as far as I can tell it's
>not possible to control for how long a session is valid. It seems that
>these information are valid until the browser closes.
You can put a time stamp *in* the session, and check for how old it
is in subsequent pages. You get to decide whether it's based on time
since the FIRST hit or time since the LAST hit (update timestamp on
every hit). If your objective is a timed-out login, if the time stamp
gets old, redirect them to the login page.
PHP's probabalistic session expiration isn't very good if you
want the session expired ON TIME, EVERY TIME. It's not too bad
if you just want expired sessions to go away eventually so they
don't clutter up your system with too many old files.
>On the other hand it's possible to set expiration time for cookies.
And it's entirely up to the browser to actually expire them.
How many users running browsers have their clock set to the wrong YEAR?
Also, users may be able to edit the expiration time of cookies.
>Does this mean that I have to abanbon $_SESSION altogether and switch to
>$_COOKIE for storing information? Or can/should they be coupled in some way?
I suggest storing your own expiration time into the session.
>In other words: are sessions and cookies conceptually an either-or or
>are they supposed to supplement each other?
Sessions are usually kept using a session cookie but PHP can fall
back to passing the session cookie in the URL (especially if trans_sid
is on). *If* cookies are enabled, you can also use cookies
independently.
Gordon L. Burditt
| |
| cross at php net 2005-12-10, 3:59 am |
| > I trashed cookies altogether, since it didn't seem appropriate for my purpose...
just a repeat of a previous thought...
cookies are USED in 90% of session use (if the client accepts them and
the server [php.ini] isn't set up to force cookie usage.)
cookies are a client side thing, whereas sessions are server side.
| |
| Atte André Jensen 2005-12-10, 3:59 am |
| cross at php net wrote:
> cookies are a client side thing, whereas sessions are server side.
"I trashed setcookie() alltogehter..."
--
peace, love & harmony
Atte
http://www.atte.dk
| |
| Jerry Stuckle 2005-12-10, 6:59 pm |
| Atte André Jensen wrote:
> cross at php net wrote:
>
>
>
> "I trashed setcookie() alltogehter..."
>
>
>
I think you missed Colin's point.
Over 90% of sessions use cookies anyway, even if you trash setcookie()
altogether.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Atte André Jensen 2005-12-16, 7:56 am |
| Jerry Stuckle wrote:
> I think you missed Colin's point.
>
> Over 90% of sessions use cookies anyway, even if you trash setcookie()
> altogether.
This is my last rephrase:
I still use cookies in my session but I do not call the setcookie()
function. I do understand what has been pointed out several times that
over 90% of sessions use cookies.
I will, however comment further in this thread, even if you claim that I
didn't understand whatever.
Case closed!
--
peace, love & harmony
Atte
http://www.atte.dk
|
|
|
|
|