Another cool feature of php4 is built in session support. This could open the doors for a lot of neat features like the my.wwwthreads idea and more. <br /><br />Will you be using sessions? Have you thought about the possibilities it brings? Im sure others can come up with more as well.<br /><br />Will<br /><br />

No sessions in the initial port. Sessions, basically work via cookies or temp files and with the way WWWThreads is setup it actually is basically a session once you login. Every script knows who you are, so we can track and display any type of info for a particular user.<br /><br />---<br />Scream<br /><A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

I really DISLIKE the feature of w3t saving my username, password, language, and some other variable in a cookie. I'm not really against cookies but there are some browsers that do throw fits when another part of the web site attempts to set a cookie with a different directory (w3t specifies it's own directory so I can't just set mine to path=/). All I have been able to tell these users is to upgrade to the latest browser version. Session support would fix this. Sessions are increbibly easy to support Scream, they're functionality is pretty much the same as your cookies all you would need is 1 function call at the top of your page and replacing your setcookie() call with session_register(). Also people with cookies disabled and people with old computers could access w3t because it would use append the session ID to the end of the URL instead of via a cookie. <br /><br />For those who are interested, I'll release a hack for session support as soon as I see the PHP version of w3t. <br /><br />Finally I'll be making hacks by the hundreds for w3t because it's finally in PHP a language I like unlike Perl (which should be banned by the U.N. from being used or something like that) []/w3timages/icons/smile.gif[/]<br /><br />

The one thing I haven't figured out about sessions, and one of the main reasons I haven't used it yet. Alot of people don't like to have to log in every time they come to visit the forums. From what I have read so far, essions are only for that current browser session. So, users would have to login each time they visited, correct? Also, I haven't come across where you specify to store the session variables, cookies, temp files, etc. Any help would be appreciated. If there really is a benefit to using sessions, then I would use them.<br /><br />---<br />Scream<br /><A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

As a followup, I know some of the session info can be set in the php.ini file. Since alot of users will be on a hosted machine do you know if there is a way to set this in a required file, like the main.inc.php that I will use for all functions?<br /><br />---<br />Scream<br /><A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

Replying to myself. I got all of this figured out. Have moved all ported scripts over to support sessions. Seems to work fine and dandy.<br /><br />---<br />Scream<br /><A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

Blah, scratch that. While I do have sessions working, they don't cross browser sessions. Which means users will have to login upon each visit. Unless we store a username and password cookie, which bypasses the whole need for sessions in the first place[]/w3timages/icons/crazy.gif[/]<br /><br />---<br />Scream<br /><A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

Are sessions any faster than using cookies? (You don't have to keep reading a file from the users system right?)<br /><br />Why not grab the cookie if a session hasn't been created, and then from that point track the user with the session instead of the cookie, until the session expires?<br /><br />Cant you do persistent db connections with sessions or some junk like that also? That would be cool. Or are you already doing that?<br /><br />Actually.. I think it would be a bad idea to use sessions.. Those can bring down servers if you get a lot of hits (atleast they do in ASP).. I would just stick to using cookies.<br /><br />------------------------------------------------<br />Jeremy 'PeelBoy' Amberg

I don't really think there is a speed benefit. Your cookies are automatically sent with every request to the site, so there really isn't much going on there.<br /><br />The only reason I can think of to use sessions would be so you don't have to use cookies. So, if we are going to use cookies at all then there really isn't a need for sessions.<br /><br />You can do persistant connections with PHP, no need for sessions for this. Don't have the variable put into the config yet, but it will be.<br /><br />There would be quite a bit of file I/O on heavy traffic sites if sessions are used. Right now I'm just going to port with the cookies until I gain more knowledge in this area and can see a real benefit.<br /><br />---<br />Scream<br /><A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

oh that's right.. duh wtf was I thinking (about cookies being sent in the headers..)<br /><br />Ok here's what I say you do.. People who don't use cookies are screwed basically right? So when the user logs in give them the option to pick cookies or sessions.. sessions are temporary for that browser session and cookies last longer..<br /><br />That way people who refuse to turn cookies on can still browse the forum.. (they don't have to login for every post or what not)<br /><br />or is it possible to tell if user has cookies turned off? if so just check and if they do.. use a session to track them once they login or something.. that way cookies are used when they can be, but if not then seesions are used instead..?<br /><br />just some ideas hehe..<br /><br />------------------------------------------------<br />Jeremy 'PeelBoy' Amberg

I like PeelBoy's suggestion.<br /><br />I see no need to move everyone to sessions, just those who can't/won't use cookies.<br /><br />It's a simple matter to tell if a user is accepting cookies--attempt to set a test cookie, refresh to another page that checks if that cookie was actually set. If it was, continue as normal, if not, switch over to sessions.<br /><br />That gives the cookie-less people an almost identical experience to the rest of us. I suppose you could have an option somewhere of "cookies or sessions", but I don't think that's really necessary--if someone doesn't want to use cookies, they can just turn them off themselves.<br /><br />

I personally don't understand people who don't use cookies. Everyone _can_ use cookies...it's been in since Netscape 1.1. Unless they're using Lynx or something similar (which still supports cookies, I think)...<br />Regardless...cookies are so entirely harmless, that I have no pity for anyone who doesn't use them. It's a wonderful way to use functions like w3t and it doesn't store anything that wasn't available to the site in the first place.<br />Since sessions are only once per browser session, they really do the user almost no good! The only thing they do for the user is...well...nothing! You still have to login every time you come to the site, and the best way to handle the user being logged in or not is with cookies. Unless someone can come up with any good reason not to use cookies, I see no reason to spend even a minute on sessions...<br /><br />Flame away, privacy advocates! []/w3timages/icons/wink.gif[/]<br /><br />

I agree and disagree..<br /><br />Cookies are great.. I like them a lot..<br /><br />But yes they can be insecure..<br /><br />Outside apps that you run on your computer -can- look at cookies and possibly find information..<br /><br />Also.. A while back I wrote a .js file that could be included in a post on this forum.. It would pull your user name and password, then create an image tag pointing to a cgi script on my server (with a query string that contained the user name and password) From there it could store everybody's user name and password into a database (I just wanted to see if it worked.. it did.. so I reported it as a bug and deleted the scripts)<br /><br /><br />Althought cookies aren't a -bad- thing.. some people are silly and think they are.... For those people it would be nice to have sessions.. Your right that sessions work in just one instance of your browser, but that isn't a bad thing.. you have to login every time you close the browser, but atleast you can post messages on the forum if anon users is turned off.. with out cookies you can't I don't think (or if you can, you have to login every time!!)...Also people could see you in the who's online list etc.. with out sessions or cookies you are basically an anonymous user.. which means you might not have as many options as a use who is logged in........<br /><br />Oh and like a33 says above.. Cookies are used a lot for tracking users.. I know this for a fact because the company I -use- to work for (coremetrics.com) tracks users with a cookie.<br /><br />------------------------------------------------<br />Jeremy 'PeelBoy' Amberg<P ID="edit"><FONT SIZE=-1><EM>Edited by PeelBoy on 10/19/00 12:12 PM.</EM></FONT></P>

LoneWolf,<br /><br />I think there is a definite privacy risk involved with cookie use. I'm not paranoid or anything, but I think most of us know by now that advertising companies profile us, greatly through the use of cookies. <br /><br />I don't have any problem with "regular" cookies, ones that are actually meant to make things easier (like the ones for W3T). It's the 3rd party cookies that I try and avoid like the plague. If you've ever set your browser to prompt you for cookies before accepting, you'll know what I'm talking about. You go somehwere like msn.com and see cookies being sent from all these different ad company domains. Hmmmm... I wonder what they're doing? I'm sure there's a "good" reason why those cookies need to be sent to me, right? I don't think so...<br /><br />If anyone wants to see a browser with outstanding cookie filtering options, check out Opera 4.0. I swear by it now and wouldn't consider switching back to anything else. You can set it to block all cookies, block just certain domain cookies, accept only certain domain cookies, block 3rd party cookies, etc. It's just perfect.<br /><br />I have it prompt me for all domains that I haven't already setup a filter for. When new domains come in, I set them to either be accepted or blocked from that point on. The first week or so of doing this, I got prompted all the time, but now 90% of the sites I visit regularly have been recorded one way or another, so I rarely get asked about cookies now. And of course, every ad company's domain I've ever come across has been blocked--if you do just that, you'd be amazed at the amount of cookies that are wiped out.<br /><br />Even without the cookie filtering, Opera's a great little browser--speedy too.<br /><br />

Ok, what I am doing is making this an option on a per site basis. If you have access to your own php.ini file and you choose to use sessions, you could set it so the session id is stored in a cookie and is persistant so they won't have to log in each time. If you don't have access to your own php.ini file and you don't want your users to have to login each time then you could use cookies for the default tracking method.<br /><br />---<br />Scream<br /><A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

As far as the outside apps, that would be what I would call a "bad" app []/w3timages/icons/smile.gif[/]..one that searches your HD for cookies? That program wouldn't get used by very many people, and if it did, I would call it a virus. That's not an insecurity of cookies...it's an issue with virus type software.<br />As far as the JS, I saw that, and it's interesting, and as you mentioned, a bug that w3t even allowed it. Again...not a cookie problem.<br /><br />

Oooh...almost forgot...as far as tracking users...you can only track them on your own site!! Not very useful, except for improving the site you go to! []/w3timages/icons/smile.gif[/]<br />BTW...it's very easy to enable cookies in people's browsers. []/w3timages/icons/wink.gif[/]<br /><br />

How can it be a privacy risk? They can't get any information from you that you didn't give them/they are able to read anyway! They can track you only in their own site...they can't monitor your overall web activity. The best they can get if you don't put any info in is your IP, browser, etc....not like they're invading your privacy!<br /><br />

Nice solution. []/w3timages/icons/smile.gif[/] I just like starting fights sometimes []/w3timages/icons/wink.gif[/] Good work!<br /><br />

>They can't get any information from you that you didn't give them/they are able to read anyway! <br />>They can track you only in their own site...they can't monitor your overall web activity.<br /><br />That's completely untrue. This stuff is old news- <A HREF="http://slashdot.org/yro/99/10/22/0249212.shtml" target="_new">http://slashdot.org/yro/99/10/22/0249212.shtml</A>.<br /><br />Maybe I'm just weird, but to me, the idea of these companies tracking my online habits and putting it all together in one huge database, either connected to my IP address, or in some cases my actual name, etc , is more than a little disturbing.<br /><br />I'll continue to monitor all incoming cookies and decide for myself which ones are necessary. If you're not bothered by this, then by all means, continue treating cookies as harmless little things.<br /><br />