User authentication

Just wondering how the majority of HxF uses sessions.

Do you:

1. Use cookies.
2. Use $_SESSION
3. Another method? Explain.

:)

Other(cause i don't know the full method)
I use vbulletins login, i basically use my own script to encrypt the passwords and send it off to the vbulletin login that sets cookies for three different sites.

The Forum
The Main Site
And the radio
all are hosted on the same server just different domains. This enables every user to only have to login once.

Bryce

I use sessions ($_SESSION). My main reasons for this are as follows;

a) They aren't stored in the browser and therefore it is more difficult for the user to interfere/mess around with them.

b) They are easier to set, modify, and unset/delete.

c) Sessions work on a per-site/per-server basis and therefore if a user has a session set by your site and then they go visit joe's website, joe's website won't be able to access or view the sessions set by your site.

d) Since sessions are stored on the server and not in the browser there's less back and forth between the two which [to some extent] makes sessions more secure.

e) Sessions work even if cookies have been disabled in the users browser.

f) I have just always used sessions and so I stick with what I know best :)

$_sessions here, been using it on all my systems, love it :)

I used to use cookies a lot because i don't see why everyone says they're so insecure, if you use them properly they're perfectly secure. But lately I've been using sessions they're just easier to work with i guess..

I use both sessions and cookies.

Depends if i want the user to still be logged in next time they visit the page.

Quote:

---

Originally Posted by Jme

I used to use cookies a lot because i don't see why everyone says they're so insecure, if you use them properly they're perfectly secure. But lately I've been using sessions they're just easier to work with i guess..

---

Well to be honest, most users on HxF are not experienced enough to make cookies secure, hence why they use sessions.

session's
Running a game security is the one of the main concerns

Quote:

---

Originally Posted by Colin-Roberts

session's
Running a game security is the one of the main concerns

---

True, but just because you use sessions does not ensure security, there are ways to use them.. and ways to not.

Quote:

---

Originally Posted by Caleb

True, but just because you use sessions does not ensure security, there are ways to use them.. and ways to not.

---

True... the only reason I really find I use Cookies is like someone said above, if a user needs/wants to stay logged in. Or in other situations if you're logging information about the user (like visitor tracking type thing).

Now I do have to disagree with the other thing Caleb said about most people not knowing how to make Cookies secure.... well it's not really any different than Sessions.... as long as you one-way-encrypt the password before storing it you're pretty much good to go (oh, and you just have to make sure the cookie doesn't never expire).... ya...

I use a custom session handling system for internal requests and data abut cookies to store more long term information, such as details to auto log users in when they visit the website etc.

Quote:

---

Originally Posted by Scriptz

True... the only reason I really find I use Cookies is like someone said above, if a user needs/wants to stay logged in. Or in other situations if you're logging information about the user (like visitor tracking type thing).

Now I do have to disagree with the other thing Caleb said about most people not knowing how to make Cookies secure.... well it's not really any different than Sessions.... as long as you one-way-encrypt the password before storing it you're pretty much good to go (oh, and you just have to make sure the cookie doesn't never expire).... ya...

---

Not really, it would depend on the user doing it.

Some users just check to see if the cookie, or the session is there, and no real verification on the user or anything else.

Quote:

---

Originally Posted by Mentor

I use a custom session handling system for internal requests and data abut cookies to store more long term information, such as details to auto log users in when they visit the website etc.

---

Same, I don't use $_SESSION at all, my own MySQL session management using a unique indentifier which would relate in some what to using PHP's own session management.

Of course you could always just use the callback provided by PHP for using your own handling system, but heh, making your own would insure that you know how it works :)

I use Sessions for well, the session.
If they click "Remember Me!" then it sets a cookie with like a 30 letter string (already in the users row in the database) that is totally unique and when they log on the next day, it goes and gets that string and uses it to get the rest of the information from the database.

Quote:

---

Originally Posted by MrCraig

I use both sessions and cookies.

Depends if i want the user to still be logged in next time they visit the page.

---

I do the same,


But I make sure I use session hashing for the cookies for security

Quote:

---

Originally Posted by Jin

I do the same,


But I make sure I use session hashing for the cookies for security

---

I do the same with the session hashing as well as checking against the IP and other various things :P

I use a mixture.

Cookies for saving information if they want [ ] Remember Me.

Sessions for general everything. :)