SitePoint Sponsor

User Tag List

Results 1 to 18 of 18
  1. #1
    SitePoint Evangelist dhtmlhelp's Avatar
    Join Date
    May 2003
    Posts
    575
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    What is the best sessions option

    Hello,

    Can anyone please explain the advantages and disadvantages of:

    1) Using sessions in combination with cookies (storing the session number on the client machine)

    2) Using sessions without cookies (passing the session number in the url)

    and

    3) Logging the IP address with sessions (with or without cookies).

    I need to understand which is the best option of the three for me. I need sessions for user login, session continuity, and ultimately I need maximum security (without considering SSL for the moment, which I can make use of if necessary)

    thank you,

    DH

  2. #2
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You may want to look into custom session handling which would store the session and it's values in a database. There are some good tutorials on it... I'll do a search a post the results.
    John

  3. #3
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://www.phpbuilder.com/columns/ying20000602.php3

    http://freshmeat.net/projects/pearsession/?topic_id=66%2C92%2C96%2C809
    John

  4. #4
    SitePoint Evangelist dhtmlhelp's Avatar
    Join Date
    May 2003
    Posts
    575
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks John,

    I am still unclear to what the answer is to my questions.

    I would like to understand the differences between the 3 options and why I should choose one of them over the others.

    My sessions will need to store quite a bit of data temporarily and then write that data to the database (not continuously, but periodically)

    DH

  5. #5
    SitePoint Guru quenting's Avatar
    Join Date
    Dec 2002
    Location
    Switzerland
    Posts
    735
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dhtmlhelp
    Hello,

    Can anyone please explain the advantages and disadvantages of:
    1) Using sessions in combination with cookies (storing the session number on the client machine)
    2) Using sessions without cookies (passing the session number in the url)
    and
    3) Logging the IP address with sessions (with or without cookies).
    Using sessions with cookies allows you to store user data on his machine then this data can be retreived from page to page.
    The problem is some users don't have cookies enabled. When it is the case you need to pass the session id trhough the url.
    The embedded session mechanism in php4 does that automatically. It will attach session ids automatically to all links when needed, and if cookies are enabled will simply store the session data in one of them (without you having to handle anything.

    The problem then is that SE bots don't have cookies and don't like session IDs, then you have to trick your scripts to either do not follow sessions when user is not logged in or (if you want to track your guests / non registered users) when user agent is recognized as a SE bot.

    Adding IP tracking is a security double check to fight against session hijacking (try searching google for these words for more info).

    You may want to look into custom session handling
    Could you give some good reasons for implementing a custom session mechanism instead of php4's one ? I'm just curious since i've been able to do whatever i wanted with it and this way i don't have to append session ids manually to all links.

    Quentin
    The largest message boards on the web !
    unblog.fr, hosting 700000 french blogs

  6. #6
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I use them because I don't like the session id being passed through the URL, for the scalability, and I understand that they offer a little more security.

    But, primarily, I read about them when I was first learning PHP, tried them, and liked them. So I keep using them.
    John

  7. #7
    SitePoint Evangelist dhtmlhelp's Avatar
    Join Date
    May 2003
    Posts
    575
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quentin, thanks.

    So I should use this standard php4 embedded session mechanism and check the IP address at every change of page, correct?

    I also need to track guests which seems to be creating a problem with SE bots. How do I tell only SE bots to ignore sessions and cookies?

    I will do some searching on IP tracking, thanks a million for the advice.

    DH

  8. #8
    SitePoint Guru quenting's Avatar
    Join Date
    Dec 2002
    Location
    Switzerland
    Posts
    735
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dhtmlhelp
    Quentin, thanks.
    So I should use this standard php4 embedded session mechanism and check the IP address at every change of page, correct?
    Well at least that would be the simpler thing to do. The IP check is not even necessary, depending on the level of security you need. If not manipulating secure user data i would not care too much myself .

    I also need to track guests which seems to be creating a problem with SE bots. How do I tell only SE bots to ignore sessions and cookies?
    I will do some searching on IP tracking, thanks a million for the advice.
    DH
    The problems is that SEs associate a page with an url, and if your url contains the session id, it is different every time, thus making it a different page every time for the se bot, finally making it not indexed.
    The idea is to check the variable $_SERVER['HTTP_USER_AGENT'] (i think that's the one, you might want to double check with a google search), and regexp it to see if it contains 'googlebot', 'fast', 'slurp' (inktomi) and all other bots you want to make your pages accessible to.
    then if yes call the session_destroy() method which will simply stop the tracking and not add the sid to urls.

    Hope this helps
    Quentin
    The largest message boards on the web !
    unblog.fr, hosting 700000 french blogs

  9. #9
    SitePoint Addict Mo Money's Avatar
    Join Date
    Nov 2002
    Posts
    274
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    but then aol users wont be able to acces your site because there ip address change all the time right?
    AbcArcade.com - free internet games!

  10. #10
    SitePoint Guru quenting's Avatar
    Join Date
    Dec 2002
    Location
    Switzerland
    Posts
    735
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well because of aol users usually an "ip check" consists of a "first 2 numbers check", which generally do not change. That's not 100% secure (the cost for this would be no support for aol users) but still better than nothing.

    Quentin
    The largest message boards on the web !
    unblog.fr, hosting 700000 french blogs

  11. #11
    SitePoint Evangelist dhtmlhelp's Avatar
    Join Date
    May 2003
    Posts
    575
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hang on,

    doesn't this mean that anybody using dynamic IP (ie everyone using a 56kb modem and some ADSL) cannot access a site that uses IP verification in its session?

    DH

  12. #12
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well it really depends how secure you really want it, if you want it really secure, that is true.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  13. #13
    ********* Member website's Avatar
    Join Date
    Oct 2002
    Location
    Iceland
    Posts
    1,238
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Still, as I do it I make every session id depended on the ip of the user, if the user ip changes, he simply needs to log in again...
    - website

  14. #14
    SitePoint Evangelist dhtmlhelp's Avatar
    Join Date
    May 2003
    Posts
    575
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok, what I feared, but thanks. The problem(s):

    I have added something to my cart and not logged in as a user

    My modem disconnects

    I connect again and everything is gone, whether my script has stored the cart info in a cookie or on the DB!

    Is there a solution to this problem?

    DH

  15. #15
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Store the cart info on the server, and if a user logs back in, they get the info in their cart back.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  16. #16
    SitePoint Evangelist dhtmlhelp's Avatar
    Join Date
    May 2003
    Posts
    575
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey cyborg,

    thanks, but it doesn't answer my question. The user has not logged in at the time of adding the products to the cart (he has not identified himself)

    He has come to the site and added products to the cart

    his modem disconnects. When he reconnects how can I make sure he can still find his products in the cart?

    DH
    Last edited by dhtmlhelp; Jun 3, 2003 at 11:04.

  17. #17
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ahh, well in that case, since the user isn't logged in at all, session hijacking is not a concern, because he has provided no personal information.

    I'd only use IP verification for users who are registered and logged in.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  18. #18
    SitePoint Evangelist dhtmlhelp's Avatar
    Join Date
    May 2003
    Posts
    575
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I see, thanks,

    DH


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •