The blog of KAO written in heart-wrenching broken English

About KAO

Poor excuse of a blogger, currently trying to get back to business plans after spending most of his time and energy in the past years on nonprofit assignments.

Categories



August 28th, 2005

Sssesssionsss

Websites & Projects | at 11:35 PM

And another crappy day ends. Again I programmed (with PHP), and again I wasted such an amazing amount of time trying to figure what I'm doing, what's happening. This time I finally learnt about cookies and sessions, call me stupid but I had never completely grasped the principle behind sessions. Now I finally did and the concept is clear in my mind. For the most part actually, I had been confused by this erroneous statement from PHPFreaks:


"This may come to you as a suprise, but Cookies are about 30% unreliable right now and it's getting worse every day. More and more web browsers are starting to come with security and privacy settings and people browsing the net these days are starting to frown upon Cookies because they store information on their local computer that they do not want stored there. PHP has a great set of functions that can achieve the same results of Cookies and more without storing information on the user's computer. PHP Sessions store the information on the web server in a location that you chose in special files. These files are connected to the user's web browser via the server and a special ID called a "Session ID". This is nearly 99% flawless in operation and it is virtually invisible to the user."


First, I must say I rarely use tutorials, I check them mostly to get some enlightment when I can't entirely figure out a concept such as sessions. For the most part I use the PHP manual, this plus the lengthy commentaries in most case are enough to understand everything.

In the quote above, what confused me a lot was the fact they insisted so much on cookies being so unreliable and kind of useless. Because sessions, as described in the manual, are supposed to be: "either stored in a cookie on the user side or is propagated in the URL." If the cookie method was not the best one, that meant sessions were mostly used with the URL, but the thing is, when visiting sites, very rare are the ones which append the SID to the URL. So I kept wondering if there's a session method I was not aware of or a reliable way to hide the SID in the URL, perhaps there was something I didn't understand, could you choose which method to use anyway ?. etc. And I just got more and more confused and lost.

But the truth is, that this statement from PHPFreaks is inaccurate. Sessions can use either cookies or the URL as the manual mentions, it's just up to you to decide which method you want to use (actually I guess it's even possible to use both at the same time). If the cookie method is prefered over the URL one, it's for 3 reasons at least: 1/ systematically appending the URL with the SID is tiredsome 2/ it's also risky because some of your users might accidentally provide a link with their current session 3/ the cookie method works most of the time.

For the cookie method not to work, your browser must refuse cookies. This might happen if you use some public computers not indended to go on the web, but it's very unlikely someone chooses to do this purposedly. If he does, he won't have access to many sites, for instance, you cannot connect to Tabulas, Blogger, Yahoo or Gmail without the cookies unabled. Forums such as Phpbb and Invision do allow you to connect with the URL method though. What would be the use to prevent cookies from coming to your computer anyway ? There is this privacy issue, supported by several sites, but I never figured out what the fuss was all about. I don't think cookies can "follow" you and gather information about you, statistics are a much bigger threats for your privacy. With statistics I can track precisely on my sites (well, not this one actually), I can see where you go and what you do and worst of all how you came to my site (generally sensitive datas such as SID are omitted though), for instance the search you performed on Google which led you here.

Anyway, when PHPFreaks says "files are connected to the user's web browser via the server and a special ID called a "Session ID". This is nearly 99% flawless in operation and it is virtually invisible to the user.", what they are actually refering to is the cookie method ! That's the only way to make SID virtually invisible to the user. Or at least, if I understood correctly... Good night.

Today's retro game: Shining in the Darkness
Today's recent game:Chaos Field Expanded

...................

Related Entries

Login to your account to post comment

You are not logged into your Tabulas account. Please login.

Site powered by Tabulas, comments by Disqus.