Permanent Cookies and sessions

llnitoll · February 25, 2012, 7:40pm

Using PHP sessions is very easy, but the best way to make permanent cookies is built you own ones?

I’m building a site and in my local server I can change session.cookie_lifetime, but perhaps you can’t do that in a shared hosting, and using this method all users will have a permanent cookie, even when they don’t want it.

So, to make a well builded site is better not to use the PHPSESSION, and make you own cookies and store them in MySQL?
Like in the “Creating a Custom Session Save Handler” part of this article: http://phpmaster.com/writing-custom-session-handlers/

Cups · February 25, 2012, 9:21pm

Why do you want a permanent cookie exactly?

Explain that and perhaps we can best advise you.

ServerStorm · February 25, 2012, 9:54pm

llnitoll

I’m with Cups, it would best if you explained the reasoning.

One thing that I do with my sites is to instead of exclusively storing sessions in the database (which I do), I serialize a users session data so it can remain persistent. Next time they log in then they their current session is updated with the un-serialized values. Obviously in this approach users have to log in.

Steve

llnitoll · February 25, 2012, 10:19pm

To log in automatically the users, even if they closed the browser. I have a the opcion “Remember me” in the login, like Twitter.

Cups · February 26, 2012, 2:59pm

read up on php’s [fphp]setcookie/fphp

llnitoll · February 26, 2012, 3:22pm

I know how to set cookies, thanks. Until now I was using a cookie stored in the MySQL to log in the users that required to remember their login, and then the php session cookie to store all information.

But I read that PHPSESSIONS are slow if there are lots of users, and there’s the problem I was saying. And there’s no reason to do that with 2 cookies, I should be able to do that with one, no?

So basically I just want to confirm that in my case I should forget the PHPSESSIONS, and store all that in the MySQL, and make a query every time the user makes an action.

llnitoll · March 1, 2012, 5:42pm

Well, now I only use my cookies, and I don’t use the PHP sessions. I hope it’s the correct way.

ServerStorm · March 1, 2012, 8:16pm

Hi llnitoll,

You may want to look at these resources that talk about the security of cookies/sessions and what can be done for better security.

[LIST]
[]http://www.devshed.com/c/a/PHP/Sessions-and-Cookies/1/
[]http://shiflett.org
[/LIST]To have a ‘remember me’ you need to use cookies as

I hope it’s the correct way.
It is up to you to know how to best secure sensitive data, so understanding how cookies and sessions as well as apache and the Database are configured all play into ‘The correct way’.

Sessions are not slow if used for the right thing. It is a very convenient mechanism to keep persistent data while the user travels through stateless html/php pages. Just don’t try to use a session like you would a database, then you will say that it is slow.

Regards,
Steve

system · March 1, 2012, 11:28pm

Since php sessions rely on a unique cookie – net difference zero. Usually sessions don’t give me the level of control I want over the data anyways, which is why I use my own custom cookie/hash tied to a db table and say to heck with $_SESSION.

Especially since you have no guarantee across servers what the max time session data is stored/purged.