--- Ed Lazor <[EMAIL PROTECTED]> wrote: > I'm using PHP sessions for user tracking. My host provider's server is > dropping session data. He swears it's my scripts and says I should be > using cookies for better security. That goes completely opposite to my > understanding, so I'd like to run it by you guys. Which is more secure: > PHP sessions or cookies?
First, I'd like to point out that sessions and cookies aren't opposite ideas at all. In fact, PHP's default session mechanism uses cookies for the session identifier (PHPSESSID). The way I interpret your question is to ask whether it's better to store session data on the server (in $_SERVER) or on the client (in cookies). When stored on the client, you rely on the client to send all session data to the server for every single request. These requests are sent across the Internet. The Internet is a public network. Hopefully this makes it clear that storing data on the server is more secure than having it sent across a public network for every single HTTP transaction (multiple transactions are typically required to render a single Web page). I think your instinct ("That goes completely opposite to my understanding") serves you well. :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php