UBB.Developers Forums UBB.threads 7 Development How Do I? Cookies vs. Sessions

I´d like to be testing the PHP version here at wwwthreads.com a little more than I do. The reason I hardly ever go into it is because I dont like the sessions. Everytime I come back I have to log in again, annoying. Could you set it up in the cookies option?
There again, maybe you have the sessions on to show that it is sessions capable... if so, how about setting up another installation with cookies? Too much? []/w3timages/icons/laugh.gif[/]. Just wanted to let you know why I didnt -and probably many others, not use the PHP version here. I think these session things are great for shopping carts, but for a forum like this... I dont need that much tight security. I like cookies who remind who you are in the forum everytime you come back.

Actually it can use both. You can have WWWThreads use sessions, but initially recognize you via a cookie. You have to change a setting in the php.ini file though, else the cookie is either not set or just expires too quick (I honestly don't know which...same thing though).

That way, for paranoid people they can still get in and use sessions (just block all cookies from your site). For all others, they don't have to login each time if they don't want to.

Yes, well what I meant was for using cookies right here, at www.wwthreads.com php forum. When I set my php version up I will choose the cookies option instead of the sessions -there is an option, right?

While I dont have it at my site set up yet I wouldnt mind testing it here, but I dont like having to log-in again everytime I come back.

Or are you speaking of a user/member prefference?

What I meant, is that you can use sessions without it forgetting who you are each time you come back. It can set a cookie AND still use sessions.

It's something Scream would need to do on his own server, edit the php.ini file to enable that. Else the cookie is not kept (if it was even set in the first place).

I don't like having to log in every time, either. I've made the same silly mistake a few times. I keep hiting the "forgot password" button...by accident. AAARRRGGH! Then my password changes, I have to check my email to get the new one. Even though it was my fault, it is still "friction" between me and my desired user experience. A long lasting cookie would solve everything.

I'll probably make the change to cookies so you don't have to log in each time. But a thing to note, when you request a temporary password your old one will still work. All it does is issue a temp password, it doesn't actually change your real one. This way, even if you hit it by accident you can just ignore the temporary password.

In general aren't both boards the same. The Perl uses cookies and the PHP uses sessions. Just use the Perl.... pretty simple fix.

Doug
http://www.netherworldrpg.net

Well technically that wouldn't work 100%. Sessions data is stored in a temp directory and the cookie that your computer has just lets the server know which temp file has your data in it. While you could make that cookie never expire the server does (just to keep this simple I won't get into the details of how PHP does this) periodicially delete that data when it's not used for a while. So at some point you will have to relogin. That setting on how long the sessions data is set in php.ini (gc_probability and the other gc_ variable).

Doug
http://www.netherworldrpg.net

Yes, it does work 100% []/w3timages/icons/smile.gif[/]. First, the php version can be set to use cookies OR sessions to keep track of visitors during each visit. Even if you use sessions, it can initially recognize you via a cookie. For this to work; you need to change one of the default values in your php.ini file. Change session.cookie_lifetime to the same value in your config.inc.php file. For example, to have cookies expire in a year, use:

session.cookie_lifetime = 31536000

Works perfectly. My php forum uses it, located at http://www.thetechguide.com/forum.

You didn't read what I said why it won't work 100%. I said that if you don't login or use the boards for a while (whatever your session data expiration time is), then your data will be deleted after that and you'll have to relogin. You probably use your message boards all the time so that's not a problem for you.

Doug
http://www.netherworldrpg.net

It can initially recognize you via a cookie though. Sure, the session data is long gone. I'm not arguing that. But the cookie isn't. If it sees the cookie, then you don't have to login, and a new session is started for you. The default value of session.cookie_lifetime is 0, so unless your server admin will make the change for you, or you have access yourself, then yes it'll work exactly as you said. As soon as you close your browser, you'll have to relogin the next time you visit the forum.

Here it is in Scream's own words (from the config.inc.php file):

// Do you want to use sessions or cookies to track your users
// If using sessions and php.ini isn't set to use cookies for sessions
// with a lifetimevalue for session.cookie_lifetime then users will need
// to login upon each visit.
// values = "cookies" or "sessions";
$config['tracking'] = "sessions";

So you see, you CAN use sessions, and not have to relogin each time.

BTW I linked to the wrong forum last time, http://www.thetechguide.com/forumphp is the php one.

The cookie that is saved in reference to the session data is a random combo of alphanumeric values. It DOES matter that the session data has been deleted. Obviously you and Scream are both misinformed. Go read the PHP documentation on sessions handling.

Doug
http://www.netherworldrpg.net

Wouldn't be the first time I was misinformed[]/w3timages/icons/laugh.gif[/]. Makes sense though since I had to switch over to cookies to make it so users didn't have to login upon each visit.

Ok, here's what I know. Before I edited session.cookie_lifetime, I had to re-login every time I visited my php forum. Once I set the value to the same that was in my config.inc.php, I didn't have to relogin until a few days passed (the default lifetime was 1036800 seconds btw). Once I changed that value to 31536000 (both in config.inc.php and in the php.ini file) I haven't had to relogin once.

I didn't make any other changes to either the forum itself or the php.ini file. And it recognizes me each time. So if I am wrong here, don't tell my server. At least it believes me and is working the way I think it should []/w3timages/icons/smile.gif[/]

You're not following me. [bold]Because you keep accessing your boards. Everytime you access your boards the timer that is counting down until your session data, which is saved on your server is being reset to it's max setting (those gc_ variables I keep talking about). The limiting reactor in this equation was your cookie expiration time, but now with the long cookie expiration time, your limiting reactor should be your session data expiration time. Don't access your site (not just your boards) for say 2 weeks and we'll see.

Doug
http://www.netherworldrpg.net

There's no way I can go two weeks without visiting my site! But, it's simple enough to delete everything in my sessions directory. Ok, you're at least partially right, since I had to relogin. But, setting a longer expiration for the cookie still has the desired effect (i.e. I don't have to relogin all the time).

So, if you want to use sessions, but want don't want to have your users login for each visit, just set the cookie lifetime up a bit. As long as the users visit the forum once every couple of days it shouldn't log them out right? And if they don't visit that much, they'll just have to put up with relogging in won't they? []/w3timages/icons/smile.gif[/]

I think the BEST thing would be if W3T set a standard cookie and used that to authenticate first. If it recognizes the user, then it automatically starts a session for them. If not, then they're required to login. So, initial login via cookie, subsequent authentication via sessions. Is that possible?

Yes you're right in that aspect, I agreed with you on that a while ago.

As far as that login method you speak of, sure it's possible just going to take a lot of messing with the HTTP Header... I think PHP4 fills the header in reverse... or was that PHP3? I forget now. But that would definately make a difference.

Doug
http://www.netherworldrpg.net