Previous Thread
Next Thread
Print Thread
Hop To
Page 1 of 2 1 2
#33669 10/17/2000 4:16 PM
Anonymous
Unregistered
Anonymous
Unregistered
Another cool feature of php4 is built in session support. This could open the doors for a lot of neat features like the my.wwwthreads idea and more.

Will you be using sessions? Have you thought about the possibilities it brings? Im sure others can come up with more as well.

Will

#33670 10/17/2000 7:54 PM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
No sessions in the initial port. Sessions, basically work via cookies or temp files and with the way WWWThreads is setup it actually is basically a session once you login. Every script knows who you are, so we can track and display any type of info for a particular user.

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

#33671 10/19/2000 3:51 AM
Anonymous
Unregistered
Anonymous
Unregistered
I really DISLIKE the feature of w3t saving my username, password, language, and some other variable in a cookie. I'm not really against cookies but there are some browsers that do throw fits when another part of the web site attempts to set a cookie with a different directory (w3t specifies it's own directory so I can't just set mine to path=/). All I have been able to tell these users is to upgrade to the latest browser version. Session support would fix this. Sessions are increbibly easy to support Scream, they're functionality is pretty much the same as your cookies all you would need is 1 function call at the top of your page and replacing your setcookie() call with session_register(). Also people with cookies disabled and people with old computers could access w3t because it would use append the session ID to the end of the URL instead of via a cookie.

For those who are interested, I'll release a hack for session support as soon as I see the PHP version of w3t.

Finally I'll be making hacks by the hundreds for w3t because it's finally in PHP a language I like unlike Perl (which should be banned by the U.N. from being used or something like that) <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

#33672 10/19/2000 10:45 AM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
The one thing I haven't figured out about sessions, and one of the main reasons I haven't used it yet. Alot of people don't like to have to log in every time they come to visit the forums. From what I have read so far, essions are only for that current browser session. So, users would have to login each time they visited, correct? Also, I haven't come across where you specify to store the session variables, cookies, temp files, etc. Any help would be appreciated. If there really is a benefit to using sessions, then I would use them.

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

#33673 10/19/2000 10:49 AM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
As a followup, I know some of the session info can be set in the php.ini file. Since alot of users will be on a hosted machine do you know if there is a way to set this in a required file, like the main.inc.php that I will use for all functions?

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

#33674 10/19/2000 1:03 PM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Replying to myself. I got all of this figured out. Have moved all ported scripts over to support sessions. Seems to work fine and dandy.

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

#33675 10/19/2000 1:15 PM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Blah, scratch that. While I do have sessions working, they don't cross browser sessions. Which means users will have to login upon each visit. Unless we store a username and password cookie, which bypasses the whole need for sessions in the first place:rolleyes:

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

#33676 10/19/2000 1:55 PM
Anonymous
Unregistered
Anonymous
Unregistered
Are sessions any faster than using cookies? (You don't have to keep reading a file from the users system right?)

Why not grab the cookie if a session hasn't been created, and then from that point track the user with the session instead of the cookie, until the session expires?

Cant you do persistent db connections with sessions or some junk like that also? That would be cool. Or are you already doing that?

Actually.. I think it would be a bad idea to use sessions.. Those can bring down servers if you get a lot of hits (atleast they do in ASP).. I would just stick to using cookies.

------------------------------------------------
Jeremy 'PeelBoy' Amberg

#33677 10/19/2000 2:14 PM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
I don't really think there is a speed benefit. Your cookies are automatically sent with every request to the site, so there really isn't much going on there.

The only reason I can think of to use sessions would be so you don't have to use cookies. So, if we are going to use cookies at all then there really isn't a need for sessions.

You can do persistant connections with PHP, no need for sessions for this. Don't have the variable put into the config yet, but it will be.

There would be quite a bit of file I/O on heavy traffic sites if sessions are used. Right now I'm just going to port with the cookies until I gain more knowledge in this area and can see a real benefit.

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

#33678 10/19/2000 2:20 PM
Anonymous
Unregistered
Anonymous
Unregistered
oh that's right.. duh wtf was I thinking (about cookies being sent in the headers..)

Ok here's what I say you do.. People who don't use cookies are screwed basically right? So when the user logs in give them the option to pick cookies or sessions.. sessions are temporary for that browser session and cookies last longer..

That way people who refuse to turn cookies on can still browse the forum.. (they don't have to login for every post or what not)

or is it possible to tell if user has cookies turned off? if so just check and if they do.. use a session to track them once they login or something.. that way cookies are used when they can be, but if not then seesions are used instead..?

just some ideas hehe..

------------------------------------------------
Jeremy 'PeelBoy' Amberg

#33679 10/19/2000 2:39 PM
Anonymous
Unregistered
Anonymous
Unregistered
I like PeelBoy's suggestion.

I see no need to move everyone to sessions, just those who can't/won't use cookies.

It's a simple matter to tell if a user is accepting cookies--attempt to set a test cookie, refresh to another page that checks if that cookie was actually set. If it was, continue as normal, if not, switch over to sessions.

That gives the cookie-less people an almost identical experience to the rest of us. I suppose you could have an option somewhere of "cookies or sessions", but I don't think that's really necessary--if someone doesn't want to use cookies, they can just turn them off themselves.

#33680 10/19/2000 2:46 PM
Anonymous
Unregistered
Anonymous
Unregistered
I personally don't understand people who don't use cookies. Everyone _can_ use cookies...it's been in since Netscape 1.1. Unless they're using Lynx or something similar (which still supports cookies, I think)...
Regardless...cookies are so entirely harmless, that I have no pity for anyone who doesn't use them. It's a wonderful way to use functions like w3t and it doesn't store anything that wasn't available to the site in the first place.
Since sessions are only once per browser session, they really do the user almost no good! The only thing they do for the user is...well...nothing! You still have to login every time you come to the site, and the best way to handle the user being logged in or not is with cookies. Unless someone can come up with any good reason not to use cookies, I see no reason to spend even a minute on sessions...

Flame away, privacy advocates! <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" />

#33681 10/20/2000 3:00 AM
Anonymous
Unregistered
Anonymous
Unregistered
I agree and disagree..

Cookies are great.. I like them a lot..

But yes they can be insecure..

Outside apps that you run on your computer -can- look at cookies and possibly find information..

Also.. A while back I wrote a .js file that could be included in a post on this forum.. It would pull your user name and password, then create an image tag pointing to a cgi script on my server (with a query string that contained the user name and password) From there it could store everybody's user name and password into a database (I just wanted to see if it worked.. it did.. so I reported it as a bug and deleted the scripts)


Althought cookies aren't a -bad- thing.. some people are silly and think they are.... For those people it would be nice to have sessions.. Your right that sessions work in just one instance of your browser, but that isn't a bad thing.. you have to login every time you close the browser, but atleast you can post messages on the forum if anon users is turned off.. with out cookies you can't I don't think (or if you can, you have to login every time!!)...Also people could see you in the who's online list etc.. with out sessions or cookies you are basically an anonymous user.. which means you might not have as many options as a use who is logged in........

Oh and like a33 says above.. Cookies are used a lot for tracking users.. I know this for a fact because the company I -use- to work for (coremetrics.com) tracks users with a cookie.

------------------------------------------------
Jeremy 'PeelBoy' Amberg<P ID="edit"><FONT SIZE=-1><EM>Edited by PeelBoy on 10/19/00 12:12 PM.</EM></FONT>

#33682 10/20/2000 3:03 AM
Anonymous
Unregistered
Anonymous
Unregistered
LoneWolf,

I think there is a definite privacy risk involved with cookie use. I'm not paranoid or anything, but I think most of us know by now that advertising companies profile us, greatly through the use of cookies.

I don't have any problem with "regular" cookies, ones that are actually meant to make things easier (like the ones for W3T). It's the 3rd party cookies that I try and avoid like the plague. If you've ever set your browser to prompt you for cookies before accepting, you'll know what I'm talking about. You go somehwere like msn.com and see cookies being sent from all these different ad company domains. Hmmmm... I wonder what they're doing? I'm sure there's a "good" reason why those cookies need to be sent to me, right? I don't think so...

If anyone wants to see a browser with outstanding cookie filtering options, check out Opera 4.0. I swear by it now and wouldn't consider switching back to anything else. You can set it to block all cookies, block just certain domain cookies, accept only certain domain cookies, block 3rd party cookies, etc. It's just perfect.

I have it prompt me for all domains that I haven't already setup a filter for. When new domains come in, I set them to either be accepted or blocked from that point on. The first week or so of doing this, I got prompted all the time, but now 90% of the sites I visit regularly have been recorded one way or another, so I rarely get asked about cookies now. And of course, every ad company's domain I've ever come across has been blocked--if you do just that, you'd be amazed at the amount of cookies that are wiped out.

Even without the cookie filtering, Opera's a great little browser--speedy too.

#33683 10/20/2000 3:10 AM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Ok, what I am doing is making this an option on a per site basis. If you have access to your own php.ini file and you choose to use sessions, you could set it so the session id is stored in a cookie and is persistant so they won't have to log in each time. If you don't have access to your own php.ini file and you don't want your users to have to login each time then you could use cookies for the default tracking method.

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

#33684 10/20/2000 3:33 AM
Anonymous
Unregistered
Anonymous
Unregistered
As far as the outside apps, that would be what I would call a "bad" app <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" /> ..one that searches your HD for cookies? That program wouldn't get used by very many people, and if it did, I would call it a virus. That's not an insecurity of cookies...it's an issue with virus type software.
As far as the JS, I saw that, and it's interesting, and as you mentioned, a bug that w3t even allowed it. Again...not a cookie problem.

#33685 10/20/2000 3:35 AM
Anonymous
Unregistered
Anonymous
Unregistered
Oooh...almost forgot...as far as tracking users...you can only track them on your own site!! Not very useful, except for improving the site you go to! <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />
BTW...it's very easy to enable cookies in people's browsers. <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" />

#33686 10/20/2000 3:37 AM
Anonymous
Unregistered
Anonymous
Unregistered
How can it be a privacy risk? They can't get any information from you that you didn't give them/they are able to read anyway! They can track you only in their own site...they can't monitor your overall web activity. The best they can get if you don't put any info in is your IP, browser, etc....not like they're invading your privacy!

#33687 10/20/2000 3:38 AM
Anonymous
Unregistered
Anonymous
Unregistered
Nice solution. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" /> I just like starting fights sometimes <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" /> Good work!

#33688 10/19/2000 4:10 PM
Anonymous
Unregistered
Anonymous
Unregistered
>They can't get any information from you that you didn't give them/they are able to read anyway!
>They can track you only in their own site...they can't monitor your overall web activity.

That's completely untrue. This stuff is old news- <A HREF="http://slashdot.org/yro/99/10/22/0249212.shtml" target="_new">http://slashdot.org/yro/99/10/22/0249212.shtml</A>.

Maybe I'm just weird, but to me, the idea of these companies tracking my online habits and putting it all together in one huge database, either connected to my IP address, or in some cases my actual name, etc , is more than a little disturbing.

I'll continue to monitor all incoming cookies and decide for myself which ones are necessary. If you're not bothered by this, then by all means, continue treating cookies as harmless little things.

#33689 10/19/2000 4:16 PM
Anonymous
Unregistered
Anonymous
Unregistered
True, it's a bad app, but what makes you think it doesn't happen? Almost all Microsoft products grab information about you from the registry and send it to microsoft (like when you register an app)....... does that stop people from using the software? nope!

Most people don't even know about it... They could do that with cookies also and you would never know. (not saying anybody does, but it is possible)

Also, yes you CAN track cookies over multiple sites.. ad companies do it .. all you do is set a global cookie......... coremetrics puts a cookie on your machine and tracks -everything- you do on ANY site that runs their product.. (when you visit the site it reports to their servers w/ your cookie id and what you are doing) in other words if you fill out a form with your name and address, it gets sent to coremetrics and associated with your cookie.. bet ya didn't know that? hehe... (this only happens on sites that run coremetrics product though)

I'm not saying that is bad .. they don't use the information in a bad way.. but it IS possible...... some banner add companies sell your 'surfing' habbites (they know which of their affilite sites you have visted, and where you went on those sites etc..)

again.. nothing bad really, but it's still possible to do, there is no denying it..

as for the js file thing.. yeah.. it was a bug on here, but it still only effects people who use cookies and if I never said anything nobody would have ever found that bug I don't think.. people who turn off cookies -can- be just protecting them selves from bugs like that.. they do exist, and they are a threat... shutting off cookies DOES make things a little safer... I know it's not the cookies fault, it's a mis-use of cookies by the person who creates the product, but none the less it still happens, and people don't find out about it until it's too late...

------------------------------------------------
Jeremy 'PeelBoy' Amberg

#33690 10/19/2000 4:28 PM
Anonymous
Unregistered
Anonymous
Unregistered
I guess sessions will be a memory hog ?
If you have 200 users online at the same time, it will use ALOT of memory right ?

Benj

#33691 10/19/2000 4:38 PM
Anonymous
Unregistered
Anonymous
Unregistered
Yep yep..

sessions kill servers under load..

200 users on the forum at once is a lot though.. (That is a pretty popular forum)

You don't need to track anonymous users.. So that cuts 1/4th of them usually..

And if you use sessions to only track users who have cookies disabled I think it would work great.. You would only have maybe 1 or 2 users online who are being tracked by sessions..

------------------------------------------------
Jeremy 'PeelBoy' Amberg

#33692 10/19/2000 4:40 PM
Anonymous
Unregistered
Anonymous
Unregistered
Ah, I see...so they have my ID. Ummm...yeah. My "ID". Hope they don't, ya know, look up that "ID", in their ID database! They might find that I use IE5.5! <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" /> I do know that they can connect that ID to my info...IF I ever gave them my info! Otherwise, it means nothing to them, except the path of a "human" on the web! <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" /> I guess it is a matter of personal preference, but that seems kinda paranoid to me...I dunno. I guess the option is nice. But...uh oh...that means that in the case of the "global cookie", PHP sessions won't help!! DOH!
So basically, my point is that w3t has a useful and valid use for cookies, which everyone should use. I have said it, and thus it has been said. <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" /> On the other hand, thanks for putting in the option, Scream.

#33693 10/19/2000 4:55 PM
Anonymous
Unregistered
Anonymous
Unregistered
But the problem is that you assume they -only- use cookies..

It's not good to assume that..

Let's put it this way.. You visit a site to buy something.. The site grabs your cookie and then reports back to a server that you just visited their site. Then you decide to buy a product so you find the stuff you want and add them to your cart.. Each time you add an item your cart the website tells the server exactly what items you are adding to your cart. THEN you fill out your address and cc info.. That gets sent to the server also (along with your cookie id!!).. now that site has all of your info.. so where does this cookie id come in? well it's a global cookie which means you are tracked across multiple sites, which all run this "tracking" software...

That means I can go to my "user tracking" database and do a lookup on "Lone\/\/olf" and I can see that you visit this sex site and got a porno, then you went to walmart.com and got some hand cuffs, then you went to some other place and got a new bike.... and then I can go and sell all of your contact information to another company who wants to send you ads for porno since they KNOW you like to buy porno............. Not just email ads, but phone, and snail mail ad's also. this can be done with out using cookies, but cookies is what ties it all together.. it's what the site uses to know who you are on each page you visit, and it is used to track you on other websites.. etc.. and you never know all of this is happening either.. not unless you always read the privacy pages on every website you shop at...


and yes.. w3t's use of cookies IS very valid.. I'm just saying that people who disable cookies probably have a pretty good reason, and I wouldn't say they are 100% wrong, and I think it would be good to take these people into account because they -are- out there and they do deserve to use this forum if they want, with out having to enable cookies.. Tracking users who have cookies disabled by using a session is a good enough solution.. it will let them use the forum, but they will have to login every day, or every time they close the browser.. that beats not being able to use the forum at all.


------------------------------------------------
Jeremy 'PeelBoy' Amberg

#33694 10/19/2000 5:00 PM
Anonymous
Unregistered
Anonymous
Unregistered
scream, if you download ewaddle from <A HREF="http://www.ewaddle.com/" target="_new">http://www.ewaddle.com/</A> you'll get a clever way to get the session capabilities without relying on PH4 sessions. I think PHP3 will continue to be the most used coding script for a while before being replaced by PHP4. Reasons are multiple.

Session doesn't replace the cookies to remember the login parameters.

#33695 10/19/2000 5:05 PM
Anonymous
Unregistered
Anonymous
Unregistered
Only problem with this, is that cookies are not needed for this scenario! If I buy from a site that totally doesn't use cookies, they still get my info, they can still send me mail! If I go to Wal-Mart (in real life, not on the web), I still get magazines, etc. from them! Do you really think that you aren't tracked, just because you disable the cookie? Do you seriously think that Wal-Mart, etc don't sell your data to ad companies and data warehouses? And if you really didn't want to get the catalog of porn, then you probably shouldn't have told the porn store where to ship the merchandise!

Please realize that I'm not arguing the point of having an alternative in w3t...alternatives are always nice. I just like playing Devil's advocate <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" />

#33696 10/19/2000 5:19 PM
Anonymous
Unregistered
Anonymous
Unregistered
(ok so my typing skills aren't so hot today.. )

Right and wrong.. I already said you didn't have to have cookies.. =) Cookies just ties things together.. it helps.. it makes your information a lot more valueable.. Your shopping habbits on a single site might be worth money, but your shopping habbits across a LOT of sites.. now that is some serious information...

What I am saying is that an outside company that provides 'metrics' software to other websites tracks you.. they can track you across multiple sites, and THEY can sell your info..

I'm not saying that you go shop at walmart.com and then walmart sells your information.. I'm saying that you go shop at walmart, then 10 other sites.. and the outside company who has their product on all of these sites tracks you..
-they- know a lot more about you than any single web site... They know that you like to buy candy from walmart.com, and cars from cars.com and tools from home depot etc etc.. That might not bother -you- personally (I know it doesn't bother me) but it -does- bother some people.. I mean.. that tracking company probably knows more about your shopping habbits than you do...

And none of that is made up either.. heh.. the company I use to work for does it.. That's how I know.. They are legit, they don't sell your info, but if they really wanted too......... they could.. period.. if a hacker gets their database they will know A LOT about you..

once again.. I am -pro- cookies, but I do understand why people turn them off.... Using them CAN be a security risk, although it's probably not likely for the most part...

If all of the web apps on the internet used cookies like w3t does (or did? haven't looked lately) I could go around getting peoples info left and right..

It might not be the cookies fault that the information is there, but it IS the cookies fault that I am able to GET that information!!!!!

------------------------------------------------
Jeremy 'PeelBoy' Amberg<P ID="edit"><FONT SIZE=-1><EM>Edited by PeelBoy on 10/19/00 02:31 PM.</EM></FONT>

#33697 10/19/2000 5:32 PM
Anonymous
Unregistered
Anonymous
Unregistered
I agree entirely...except for the last two parts...
1)
<blockquote><font size=1>In reply to:</font><hr>


once again.. I am -pro- cookies, but I know many many many reasons why they -can- be mad...


[/quote]

Now mad cookies....that is dangerous. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

<blockquote><font size=1>In reply to:</font><hr>


If all of the web apps on the internet used cookies like w3t does (or did? haven't looked lately) I could go around getting peoples info left and right..

It might not be the cookies fault that the information is there, but it IS the cookies fault that I am able to GET that information!!!!!


[/quote]

Even if all sites used cookies the way w3t did before, only the sites that allowed you to post would let you get people's info. Many sites _do_ use cookies this way (login info), but don't let you steal them, since you can't post JS on the pages the user goes to.
And it's not the cookie's fault you're able to get that info in the insecure situations...it's the website programmer's fault! <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

#33698 10/19/2000 5:47 PM
Anonymous
Unregistered
Anonymous
Unregistered
Sorry I just re-read what... *scratches head* I don't know how the hell I messed that up lol... I guess proof reading is a good thing.

Here's my points:

1. JavaScript isn't the only method to grab cookies..
JavaScript is just the 1 method that I found for THIS forum.. Other forums or products will have their problems also I'm sure...

2. Cookies can be insecure..
Just because it's the programmers fault, doesn't make it any less secure....... Does it? Nope it's not the cookies fault that your un-encrypted password is sitting there in a cookie.... It's the progammer who put it there.. But forget about blame.. it's still there right? And there are still potential ways for somebody to get to that information right???! That is a good enough reason for -some- (not all) people to turn off cookies.. If you want to be as secure as possible (a complete security freak) then turning off cookies is a must...


No matter how you look at it, cookies CAN store sensative data that other people CAN get into if they know what they are doing AND the end user doesn't have much to do about it since it is all done behind the scense (little or no user interaction)..... That's a security risk.. Yeah it's a low one for the most part, but it's still a security risk.. So some people disable their cookies for that reason. Other people disable them because they hate being tracked by banner ad companies.

------------------------------------------------
Jeremy 'PeelBoy' Amberg

#33699 10/19/2000 5:51 PM
Anonymous
Unregistered
Anonymous
Unregistered
Well, I do not really support this session idea.
On large boards I don't like it, because it will need tons of Ram.

It just work really well with cookies..

Benj

#33700 10/19/2000 5:52 PM
Anonymous
Unregistered
Anonymous
Unregistered
Pity you were the one who asked for the "Big Brother" feature - it does tend to weaken your case somewhat. <img src="http://amdragon.com/images/icons/devil.gif" alt=" - " />

<img src="http://www.amdragon.com/images/eileensig.gif" alt=" - " />

#33701 10/19/2000 5:53 PM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Just for clarification, sessions do not reside in the server's memory. They are written to a temp directory on the server. When needed they are accessed or updated.

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

#33702 10/19/2000 5:54 PM
Anonymous
Unregistered
Anonymous
Unregistered
It's programmers who think "oh.. cookies.. those are secure.. no need to worry about checking them for security" that leave big friggen secuirty gaps in their programs..

Cookies aren't secure by default.. You have to write your app to make them that way.. You can't just dismiss them as nothing..

Any time you are taking user information and store it some where you should look at the security of it all.. Databases can be just as insecure if your app isn't written right..

For example.. you might not strip special chars off a search form and a user could figure out a way to write code that does a select statement on the user_info table and prints it out to the screen... who knows?!?!?!

------------------------------------------------
Jeremy 'PeelBoy' Amberg

#33703 10/19/2000 5:56 PM
Anonymous
Unregistered
Anonymous
Unregistered
</font><blockquote><font size="1" face="">quote:</font><hr /><font size="" face="">Just for clarification, sessions do not reside in the server's memory. They are written to a temp directory on the server. When needed they are accessed or updated</font><hr /></blockquote><font size="" face="">Even when the user IS online ?

Benj

#33704 10/19/2000 5:59 PM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Yes, even when they are online. It writes the session info to a file. When you go to the next page and session_start() is called it grabs the info from the file.

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

#33705 10/19/2000 6:01 PM
Anonymous
Unregistered
Anonymous
Unregistered
Also, isn't there a higher risk of loosing all user prefs if they are on a server temps dir ?

I mean with cookies, each user is responsible for its own settings (cookkie in his browser dir), but with sessions, all is on our server==> higher risk ?

Something I don't understand: will the user profile be stored in the session ? Or will we have still the user database+ the sessions ?
Are the sessions like cookies, but stored on our server ?

I don't get it.

Thanks,
Benj

#33706 10/19/2000 6:06 PM
Anonymous
Unregistered
Anonymous
Unregistered
Sessions are temporary.. They go away when you close your browser, or when they expire.. They are supposed to be used to pass information from page to page during your current session.. I would think that they are stored in a binary db file on the server, not a text file..(for speed) but I'm probably wrong about that... (it probably depends on what language you are using.. ASP probably handles sessions different than PHP) .. In this case (passing login info) I would say sessions should only be used IF the user does not want to use cookies.. I would hate to have 200 users all having info passed using sessions.. that would slow things way down.

------------------------------------------------
Jeremy 'PeelBoy' Amberg

#33707 10/19/2000 6:06 PM
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Well, if you are on a server that loses files then that would be bad;). But then sessions would be the last of your problems:).

Sessions work something like cookies, yes. All user profile info will still be stored in the database, sessions just track you while you visit the site.

How it works right now is you log in, and I set a cookie that has your username, encrypted password and language preference on your machine. Each time you request another page I grab this info from your cookie.

If you use sessions, in the php version this info is stored in a temporary file on the server. So instead of retreiving the info from your cookie, we grab it from the temp file.

There are 2 ways that sessions can work. One, you pass the session id (which points to the temporary file) to each script. Two, you set a cookie with the session id. So, we grab the session id from your cookie, and then grab the other info from the session file.

Hopefully that makes some sense. You will be able to choose either method (all cookies, sessions with no cookies, or sessions with cookies) for your users.

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

#33708 10/19/2000 6:08 PM
Anonymous
Unregistered
Anonymous
Unregistered
tee hee... <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />
But you do that w/o cookies! I think I'll write the Big Brother feature...so there! [img] /w3timages/icons/images/icons/tongue.gif [/img]

Page 1 of 2 1 2

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
1 members (Ruben), 476 guests, and 111 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)