-3

I have been trying to understand $_SESSION & $_COOKIE variables. I was first trying to use both together. I have been trying to get them to both work, I guess the session would throw off the cookie ID or vise-versa, anyway can you use cookies and sessions together for the same purpose to be more failsafe?

I have login script pick up on confirmed user to logged in page we she/he (user) can see specific record of their database record row. Now, from here is a link that will take them to an order page, now where sessions/cookies (sessions I assume) being passed after the array is initially set...how do I pull up the passed session and allow them to still hold that database connection to their file so they can order and add data to it, or do I need to connect again to the database? Tried from user={$_SESSION['user_id']}; but no works in MySQL command statement.

Using COOKIES AND SESSIONS together at ONCE in script, is it possible. If someone leaves the shopping cart and comes back no info saved from SESSION and COOKIE would save this, HOWERVER safe to DESTROY the SESSION after ALL EXITS to CLEAR anything personal, etc...and at the same time cookie would save info. THE POINT HERE WOULD BE FOR COOKIE TO SAVE DATA AND THEN SESSION WOULD DESTRY COOKIE AND SESSION AFTER SOME POINT.

Kara
  • 6,115
  • 16
  • 50
  • 57
user1594629
  • 25
  • 1
  • 1
  • 8
  • tl;dr, all you have to know is that `$_SESSION` creates one cookie called `PHPSESSID` -> the server memorizes an array and associates it with the value of `PHPSESSID` (which is a 32 hex string). `$_COOKIE` on the other hand just stores a value that can be changed on the client side. I'd much prefer `$_COOKIE` because I can save a hash in the database without relying on PHP. – Dave Chen May 28 '13 at 04:40
  • 1
    *"Hope this is clear enough"* nope. –  May 28 '13 at 04:41
  • "$_SESSION creates one cookie called PHPSESSID" not always –  May 28 '13 at 04:41
  • Just a quick summary, not posted as an answer :) – Dave Chen May 28 '13 at 04:42
  • 2
    Don't use `$_COOKIE` unless you understand HTTP protocol and are absolutely sure of what you are doing. – Havenard May 28 '13 at 04:43

3 Answers3

1

Think of $_SESSION as a cookie that lives on the server instead of the client machine. I like CodeIgniter's approach of storing the session id in the database, and storing the session id in the cookie. Easy, secure persistence.

AlienWebguy
  • 76,997
  • 17
  • 122
  • 145
1

Sessions commonly, but not exclusively, uses cookies but the difference is that PHP $_SESSION only saves one piece of info to the cookie, PHP session id. The rest of the information is stored in the PHP session directory on the server and recalled only by reference to that saved id in the user's cookie.

$_COOKIE on the other hand actually writes data to your local computer's cookie in plain text and calls on that data as needed. $_COOKIE data is persistent (depending on end user's browser settings) whereas $_SESSION (at least by default is not).

Phillip Berger
  • 2,317
  • 1
  • 11
  • 30
  • "$_SESSION and $_COOKIE use cookies" , nope –  May 28 '13 at 04:44
  • @Dagon: I'm really sorry but they do. The PHPSESSID gets stored in a local cookie that is referenced by the server. – Phillip Berger May 28 '13 at 04:45
  • http://stackoverflow.com/questions/1376731/do-php-sessions-set-any-cookies, the question is tagged `cookies`, so I imagine it wants to deal with session using cookies. @Phillip: you're wrong :) – Dave Chen May 28 '13 at 04:45
  • Im not sorry, you are still wrong ;) A session *can* use a cookie for id propagation, but that's not the only option –  May 28 '13 at 04:46
  • Would you care to enlighten us how a PHP server can start a session with no local reference on the user's computer? – Phillip Berger May 28 '13 at 04:47
  • get variables, which is pretty much not even related, but in this context Dagon is correct. – Dave Chen May 28 '13 at 04:48
  • it was common practice for session ids to be propagated in the url, as cookie support was poor. Now not common but still an ooption –  May 28 '13 at 04:48
  • Ah, `$_GET` params... well c'mon no one does that and it's unreliable. Besides, by default `$_SESSION` does use a cookie to store the ID so I don't think my answer is strictly wrong. – Phillip Berger May 28 '13 at 04:49
  • you can turn off cookies at the browser .. you can't turn off get. – Orangepill May 28 '13 at 04:49
  • cookies are unreliable to. anything on the users machine is. wrong is wrong - suck it up and accept it. –  May 28 '13 at 04:49
  • 1
    Now you're just being argumentative. `$_SESSION` does use cookies as one way to store an ID which is associated with a namespace on the server. As a matter of fact it's the default way. – Phillip Berger May 28 '13 at 04:52
  • 1
    Its all good Phillip, i fixed your answer for you. You are welcome ;) –  May 28 '13 at 04:54
  • I saw your edit Dragon, fair enough. – Phillip Berger May 28 '13 at 04:55
  • Dragon and a guy named Chen working together? Not at all surprising. – Phillip Berger May 28 '13 at 04:56
1

First think to remember is that HTTP is a stateless protocol, meaning that at the protocol level the server gets a request, services the request returns the output and forgets what happened. That means anything that has to be remembered between requests has to be implemented at the application level.

Cookies are passed back and forth from the client to the server, if you want to you can think of this as shared state that is both readable and writable by either the client or the server.

A session is server side storage that is identified by a specific cookie value (or maybe some other kind of request parameter, sessions id's can also be passed around in get requests). So it is only available for reading and writing by the server. The session id that is stored within a cookie only exists so that the server can identify the client and marry it up with the server side storage from request to request.

Orangepill
  • 24,500
  • 3
  • 42
  • 63
  • Basically php handles all your information. Cookies alone is more abstract, no? You can do anything sessions can do and more. – Dave Chen May 28 '13 at 04:54
  • Cookies are readable and writable by either the client or the server so it is untrustworthy. Imagine if after login you set $_COOKIE["authenticated_user"] = "orangepill"; I could go into chrome dev tools and reset that value to "admin"; – Orangepill May 28 '13 at 05:01
  • with sessions what gets passed arround is $_COOKIE["PHPSESSID"] = "a;lkgjq034q6qgssrtw4068wreohp4o6y" and if I change that cookie the server just forgets who I am. – Orangepill May 28 '13 at 05:03
  • Oh no, I mean, using $_COOKIE like session, $_COOKIE['specialKey']='d41d8cd98f00b204e9800998ecf8427e' – Dave Chen May 28 '13 at 05:03
  • Yep... they just exist to bind persistent state from request to request. – Orangepill May 28 '13 at 05:04