RE: [PHP] Opinion: PHP Sessions or Cookies
Just as folks can turn off JavaScript, they can reject cookies. Sessions have some advantages over cookies. [Original Message] From: Ed Lazor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: 07/13/2004 2:47:31 PM Subject: [PHP] Opinion: PHP Sessions or Cookies I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? In case you're curious, more details on the specifics of the problem I'm experiencing: I have a prepend file that executes start_session. The script assumes the user is a guest if $_SESSION[UserID] is not set. All guests route to the login screen. Successful authentication sets $_SESSION[UserID] and sends you to the original requested page. It seems fairly straight forward to me. People are able to login and start using the site, but the login screen displays randomly after they've already authenticated successfully. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Anyway, those are the details. I look forward to hearing what you think. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opinion: PHP Sessions or Cookies
Except that sessions rely on data being passed to and from the client, usually in a cookie. You can do it yourself by passinf the SID manually or using trans sid, but cookies are the normal way to keep the session working. On Wed, 14 Jul 2004 00:10:17 -0700, Dennis Seavers [EMAIL PROTECTED] wrote: Just as folks can turn off JavaScript, they can reject cookies. Sessions have some advantages over cookies. [Original Message] From: Ed Lazor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: 07/13/2004 2:47:31 PM Subject: [PHP] Opinion: PHP Sessions or Cookies I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? In case you're curious, more details on the specifics of the problem I'm experiencing: I have a prepend file that executes start_session. The script assumes the user is a guest if $_SESSION[UserID] is not set. All guests route to the login screen. Successful authentication sets $_SESSION[UserID] and sends you to the original requested page. It seems fairly straight forward to me. People are able to login and start using the site, but the login screen displays randomly after they've already authenticated successfully. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Anyway, those are the details. I look forward to hearing what you think. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php !DSPAM:40f4db01325541434715910! -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opinion: PHP Sessions or Cookies
Ed Lazor wrote: I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? Session certainly. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Looks like /tmp directory is out of space. Change the directory to your own, it's more secure anyway. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opinion: PHP Sessions or Cookies
Sounds like it could be a permissions issue to /tmp, but that's not likely as some work and some don't. More likely, /tmp isn't big enough. Ask the provider to check to see if it's being filled up (you can also check yourself with the 'df' command on the command-line). It could also be an old version of PHP or the timeout settings for sessions. Check that stuff in phpinfo(). On Tue, 13 Jul 2004 14:47:16 -0700, Ed Lazor [EMAIL PROTECTED] wrote: I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? In case you're curious, more details on the specifics of the problem I'm experiencing: I have a prepend file that executes start_session. The script assumes the user is a guest if $_SESSION[UserID] is not set. All guests route to the login screen. Successful authentication sets $_SESSION[UserID] and sends you to the original requested page. It seems fairly straight forward to me. People are able to login and start using the site, but the login screen displays randomly after they've already authenticated successfully. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Anyway, those are the details. I look forward to hearing what you think. -Ed !DSPAM:40f4566021229974011339! -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Opinion: PHP Sessions or Cookies
-Original Message- Looks like /tmp directory is out of space. Change the directory to your own, it's more secure anyway. I keep watching and /tmp seems ok space-wise, but I like the idea of overriding where session files are stored. I just made that change and I'm waiting for feedback from users to see if they're still getting login prompts. Thanks Marek =) -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opinion: PHP Sessions or Cookies
--- Ed Lazor [EMAIL PROTECTED] wrote: I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? First, I'd like to point out that sessions and cookies aren't opposite ideas at all. In fact, PHP's default session mechanism uses cookies for the session identifier (PHPSESSID). The way I interpret your question is to ask whether it's better to store session data on the server (in $_SERVER) or on the client (in cookies). When stored on the client, you rely on the client to send all session data to the server for every single request. These requests are sent across the Internet. The Internet is a public network. Hopefully this makes it clear that storing data on the server is more secure than having it sent across a public network for every single HTTP transaction (multiple transactions are typically required to render a single Web page). I think your instinct (That goes completely opposite to my understanding) serves you well. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opinion: PHP Sessions or Cookies
On Wednesday 14 July 2004 12:45, Chris Shiflett wrote: The way I interpret your question is to ask whether it's better to store session data on the server (in $_SERVER) or on the client (in cookies). So that people don't get confused: $_SERVER should be $_SESSION. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* ...though his invention worked superbly -- his theory was a crock of sewage from beginning to end. -- Vernor Vinge, The Peace War */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php