Sessions vs Cookies with PHP

[JazyLcan]

I would like to be able to maintain certain information about a user across the span of my site. Let say this is their username. I want this to be as easy as possible and somewhat foolproof. I am weighing the benefits and drawbacks of using cookies vs session info.

One question I have is, can sessions be used without displaying that awful session id info in the url?

Another is what are the pros and cons of using either of these methods?

Thanks in advance,
JL

[BigAlReturns]

I would use sessions personally. They can be used without the id in the URL, in fact, I don't know how/why anyone does-it's certainly never been an issue for me! The cons of sessions would perhaps be a tiny increase in server load, but nothing I think would be of any concern. In terms of cookies, they are easily spoofed, and although sessions can be as well, it's a lot harder. I generally go with sessions for tracking per visit, and cookies to retain information between visits.

[Draicone]

You should definitely go for sessions. Sessions are far more reliable, maintain state better and are under your control. Cookies, on the other hand, are often completely ignored by the browser or lost in window closes and opens etc. Leaving data in cookies also creates significant security issues and calls for all sorts of complex filtering to sanitize the data sent by the user, before you even get to constructing your page.

To disable PHP session IDs in the URL, add this to a .htaccess file:

Quote:

php_value session.use_only_cookies 1
php_value session.use_trans_sid 0

Most recent builds of PHP should have this setting set already; I believe it's been the default for quite some time. If your web host is on an old build of PHP (especially PHP 4), you might want to consider switching to a newer host.

Edit: See this article for more details.