PHP Sessions

craigfarrall · #1 (**permalink**) 07-03-09, 08:22 AM

Hi All,

I am working on a dating website, and I am in need with help with sessions. I have read up on this in my PHP book and the free video on here, but if anything it confused me, so was wondering if anyone could help me.

I want to be able for a user to register, and at the end of the register I would like the sessions to start and that user can then navigate through the website and it being assigned to them.

But as I said before I have tried this before, and it confuses me to be honest, so if someone can go through the basics and what I need to do/know that would be appreciated.

Thanks
Craig

Jcbones · #2 (**permalink**) 07-03-09, 07:19 PM

PHP Code:


			

session_start(); //must be called first on the page, very top before any output...^yes way up there...

//Store or call a session variable.  Yes, it is a superGlobal.
$_SESSION['variable'];

That is the basics.

craigfarrall · #3 (**permalink**) 07-04-09, 06:33 AM

Ok so if I have a customer first name saved in the db as 'fname' then I can use:

Code:

$_SESSION['fname'];

Then I can echo that out later to show the fname?

End User · #4 (**permalink**) 07-04-09, 09:44 AM

No, sessions are not the same as your database. To use variables in a session you'll need to explicitly add the variable to the session itself, like this:

PHP Code:


			
// place this line at top of page before any output

session_start();



//create a var with a value

$testvar = "myfirstname";



// register the variable into a session

$_SESSION['testvar'] = $testvar;

On another page, you can then do this (again, you need to start the session as above):

PHP Code:


			
// this will print nothing because the variable hasn't 

// been retrieved from the session yet

print "TESTVAR: $testvar";



// now we'll retrieve the var from the session

$testvar = $_SESSION['testvar'];



// this will print the text 'myfirstname'

print "TESTVAR: $testvar";

If you have a customer name saved in the database, you must first pull the name out of the database, then store it in a session.

Quote:

Originally Posted by craigfarrall

Ok so if I have a customer first name saved in the db as 'fname' then I can use:

Code:

$_SESSION['fname'];

Then I can echo that out later to show the fname?

ruteckycs · #5 (**permalink**) 07-05-09, 05:46 PM

Dont use sessions, save the username and password as a cookie.

Jcbones · #6 (**permalink**) 07-05-09, 08:34 PM

Quote:

Originally Posted by ruteckycs

Dont use sessions, save the username and password as a cookie.

Now that was alot of help.

Why not explain why you think that he shouldn't use sessions. That may be more helpful.

I would love to hear why Cookies are better than Sessions.

PS. Session is a Cookie, just not persistent.

ruteckycs · #7 (**permalink**) 07-05-09, 09:26 PM

Sorry my friend I think you are confused. Sessions are NOT Cookies. Sessions are stored server side, Cookies are stored client side.

I say use cookies because as I recall for me , when I was first coding, cookies were much easier to understand and work with.

Nico · #8 (**permalink**) 07-06-09, 04:29 AM

Cookies are about one line of code easier, but 100 times more insecure. If you care about your user's security and privacy, use sessions.

ruteckycs · #9 (**permalink**) 07-06-09, 02:20 PM

I said easier to understand not easier to code, but anyway that was for me OP may be different. As for security, I guess you have to ask yourself how likely it is someone will be attacking / routing packets for your customers computers, not likely for the home user, but for a bank or something ....?

End User · #10 (**permalink**) 07-07-09, 08:42 AM

Quote:

Originally Posted by ruteckycs

As for security, I guess you have to ask yourself how likely it is someone will be attacking / routing packets for your customers computers

That's not the question you should be asking. What you should be asking is, "Do I want to code this securely or not?"

Cookies are pretty easy to exploit, and although you may not care about the data or think it's worth hacking, someone else might. Oftentimes hackers go for the "low-hanging fruit" (the easy stuff), so why make it any easier for them?

I often hear the argument that "this data isn't important" or "this data isn't worth anything". In the first instance, it may not be important to you, but chances are it's important to somebody.

In the second instance, it's not necessarily the value of the data itself, but the access that cracking the data can bring, like gaining access to your server or user accounts, thereby creating an opening that can be further exploited.

Saying that "nobody wants this data" is like saying that "nobody wants your front door", so why not just make it out of cardboard. It's not the door that's important, it's the fact that it keeps people out of your home.

Anytime I hear people coming up with reasons not to code securely, I just shake my head. It's like trying to justify not wearing a seatbelt when you drive: "No one wants to hit my car."

On the other hand, I really should thank the insecure coders of the world, because it means that hackers will be targeting them instead of me. And I'm okay with that.

Quote:

Originally Posted by ruteckycs

not likely for the home user, but for a bank or something ....?

Honestly, you'd be surprised how often home networks and end user PCs are targeted.