3

Used this tutorial http://www.wikihow.com/Create-a-Secure-Session-Managment-System-in-PHP-and-MySQL to store sessions in mysql. Everything works. Compared cookies if sessions stored in files and sessions stored in mysql.

If sessions stored in mysql as i understand in cookies should not be stored any values.

Deleted all cookies, reloaded page.

However, when opened cookies I see one cookie Name _s.

Question. Why something is stored in cookies and what it means (_s)? What the cookie does (what work)? Copied from cookie value of _s and see that the value is the same as value (id) in mysql. Something wrong with php code? In such case it is useless to store sessions in mysql (if values are available in cookies)..... However see that on each page reload session value in cookie changes. It also changes in mysql and old value is deleted from mysql. So, does it means that in any case session value is stored in cookie for short time?

If sessions are stored in files. Does it means that someone copy session value from file, opens cookie, paste the value in cookie and without knowing username and password can work in website with credentials of certain user?

Andris
  • 1,434
  • 1
  • 19
  • 34

1 Answers1

0

Storing sessions in mysql or files doesn't make any difference from a user perspective. But there are two arguments against file session:

  • It is not scalable. If you have more than one web server, file will be created on one of them, but not available on others. So the user will only have access to his session half of the time if you habe 2 servers.
  • In shared hosting if all websites are sharing the same tmp, it is possible that another website owner could access your session ids. It is usually not the case, but it can be an issue
Tchoupi
  • 14,560
  • 5
  • 37
  • 71
  • Thanks! And why there is a cookie if i store sessions in mysql?... oh, may be I do not understand right... cookie is necessary in any case? Browser must write somewhere session value so it writes in cookie? I only noticed difference. If store sessions in files in cookies are recorded google analytics cookies. But if store in mysql in cookies do not see names __utma, __utmb, etc. Are google analytics cookies stored in mysql? – Andris Mar 02 '13 at 12:38
  • @user2118559 Yes the browser must keep the session id and pass it along to the website in order to stay identified. The cookies are stored in the browser in every case. The session **data** can be stored anywhere you want: file, mysql, mongodb, memcache... – Tchoupi Mar 02 '13 at 16:59