Do i login using cookies or sessions in a login system? I’ve seen examples using sessions and cookies so i am confused! Can someone please explain this?
What do most sites use? love to know!
Thanks in advance;-)
There are three different sorts of cookies and the ones most likely to be disabled are third party cookies (because they are normally used by advertisers whose images or iframes appear on the site).
Only first and third party cookies get written to a file. Session cookies are held within the browser itself and cease to exist when the browser is closed. These are the safest sort of cookies and are all that a session needs in order to function.
I don’t think there are many people with cookies disabled anymore. There used to be a big scare about cookies and privacy but that was like a decade ago, and a lot of sites break down without cookies anyway.
The advantage of using cookies is that they can be long-lived, and sometimes you want to offer the convenience of not having not login at every visit but keep the user identified for a few days/weeks/months.
The number of sites that I’ve accessed from public computers is scarey. Using cookies for anything besides ui settings is asking for trouble. Sessions definately. Sessions that use cookies to pass the session is is best (php.ini session.use_only_cookies).
On the v2Media website, the percentage of visitors that don’t receive cookies is quite small (<1%). The same applies to most of our client sites. So based on those percentages, it’s quite ok to use_only_cookies.
If your site requires a session for functionality, logon or cart etc, do a cookie test and output a warning to the user to configure their browser to receive cookies for the domain.
When users disable cookies, and get the session_id in their query string there is a risk they might share the url of a page and inadvertently give away their session. Session ID in the cookies is certainly preferable.
London-ninja there are settings in your php.ini file that controls this stuff.
That makes no sense since the preferred way of establishing a session is to use a cookie rather than having to pass the session id in the querystring
session login is always preferred, if you specifically do not need any cookie variables to set for your webpage.
Sessions use either a cookie to pass the session id between pages or add it in the querystring. Since many sites prefer to disable the option to use a querystring their sessions are basically a cookie with all the data except an id stored on the server.
If a user have disabled cookies in his browser, how would he login if you only used cookies?
Base the login on sessions, and then add cookie support ontop of that, like the “Remember me”.