True, it's a bad app, but what makes you think it doesn't happen? Almost all Microsoft products grab information about you from the registry and send it to microsoft (like when you register an app)....... does that stop people from using the software? nope!<br /><br />Most people don't even know about it... They could do that with cookies also and you would never know. (not saying anybody does, but it is possible)<br /><br />Also, yes you CAN track cookies over multiple sites.. ad companies do it .. all you do is set a global cookie......... coremetrics puts a cookie on your machine and tracks -everything- you do on ANY site that runs their product.. (when you visit the site it reports to their servers w/ your cookie id and what you are doing) in other words if you fill out a form with your name and address, it gets sent to coremetrics and associated with your cookie.. bet ya didn't know that? hehe... (this only happens on sites that run coremetrics product though)<br /><br />I'm not saying that is bad .. they don't use the information in a bad way.. but it IS possible...... some banner add companies sell your 'surfing' habbites (they know which of their affilite sites you have visted, and where you went on those sites etc..)<br /><br />again.. nothing bad really, but it's still possible to do, there is no denying it..<br /><br />as for the js file thing.. yeah.. it was a bug on here, but it still only effects people who use cookies and if I never said anything nobody would have ever found that bug I don't think.. people who turn off cookies -can- be just protecting them selves from bugs like that.. they do exist, and they are a threat... shutting off cookies DOES make things a little safer... I know it's not the cookies fault, it's a mis-use of cookies by the person who creates the product, but none the less it still happens, and people don't find out about it until it's too late...<br /><br />------------------------------------------------<br />Jeremy 'PeelBoy' Amberg

I guess sessions will be a memory hog ?<br />If you have 200 users online at the same time, it will use ALOT of memory right ?<br /><br />Benj<br /><br />

Yep yep..<br /><br />sessions kill servers under load..<br /><br />200 users on the forum at once is a lot though.. (That is a pretty popular forum)<br /><br />You don't need to track anonymous users.. So that cuts 1/4th of them usually..<br /><br />And if you use sessions to only track users who have cookies disabled I think it would work great.. You would only have maybe 1 or 2 users online who are being tracked by sessions..<br /><br />------------------------------------------------<br />Jeremy 'PeelBoy' Amberg

Ah, I see...so they have my ID. Ummm...yeah. My "ID". Hope they don't, ya know, look up that "ID", in their ID database! They might find that I use IE5.5! []/w3timages/icons/wink.gif[/] I do know that they can connect that ID to my info...IF I ever gave them my info! Otherwise, it means nothing to them, except the path of a "human" on the web! []/w3timages/icons/smile.gif[/] I guess it is a matter of personal preference, but that seems kinda paranoid to me...I dunno. I guess the option is nice. But...uh oh...that means that in the case of the "global cookie", PHP sessions won't help!! DOH!<br />So basically, my point is that w3t has a useful and valid use for cookies, which everyone should use. I have said it, and thus it has been said. []/w3timages/icons/wink.gif[/] On the other hand, thanks for putting in the option, Scream.<br /><br />

But the problem is that you assume they -only- use cookies..<br /><br />It's not good to assume that..<br /><br />Let's put it this way.. You visit a site to buy something.. The site grabs your cookie and then reports back to a server that you just visited their site. Then you decide to buy a product so you find the stuff you want and add them to your cart.. Each time you add an item your cart the website tells the server exactly what items you are adding to your cart. THEN you fill out your address and cc info.. That gets sent to the server also (along with your cookie id!!).. now that site has all of your info.. so where does this cookie id come in? well it's a global cookie which means you are tracked across multiple sites, which all run this "tracking" software...<br /><br />That means I can go to my "user tracking" database and do a lookup on "Lone\/\/olf" and I can see that you visit this sex site and got a porno, then you went to walmart.com and got some hand cuffs, then you went to some other place and got a new bike.... and then I can go and sell all of your contact information to another company who wants to send you ads for porno since they KNOW you like to buy porno............. Not just email ads, but phone, and snail mail ad's also. this can be done with out using cookies, but cookies is what ties it all together.. it's what the site uses to know who you are on each page you visit, and it is used to track you on other websites.. etc.. and you never know all of this is happening either.. not unless you always read the privacy pages on every website you shop at...<br /><br /><br />and yes.. w3t's use of cookies IS very valid.. I'm just saying that people who disable cookies probably have a pretty good reason, and I wouldn't say they are 100% wrong, and I think it would be good to take these people into account because they -are- out there and they do deserve to use this forum if they want, with out having to enable cookies.. Tracking users who have cookies disabled by using a session is a good enough solution.. it will let them use the forum, but they will have to login every day, or every time they close the browser.. that beats not being able to use the forum at all.<br /><br /><br />------------------------------------------------<br />Jeremy 'PeelBoy' Amberg

scream, if you download ewaddle from <A HREF="http://www.ewaddle.com/" target="_new">http://www.ewaddle.com/</A> you'll get a clever way to get the session capabilities without relying on PH4 sessions. I think PHP3 will continue to be the most used coding script for a while before being replaced by PHP4. Reasons are multiple.<br /><br />Session doesn't replace the cookies to remember the login parameters.<br /><br />

Only problem with this, is that cookies are not needed for this scenario! If I buy from a site that totally doesn't use cookies, they still get my info, they can still send me mail! If I go to Wal-Mart (in real life, not on the web), I still get magazines, etc. from them! Do you really think that you aren't tracked, just because you disable the cookie? Do you seriously think that Wal-Mart, etc don't sell your data to ad companies and data warehouses? And if you really didn't want to get the catalog of porn, then you probably shouldn't have told the porn store where to ship the merchandise!<br /><br />Please realize that I'm not arguing the point of having an alternative in w3t...alternatives are always nice. I just like playing Devil's advocate []/w3timages/icons/wink.gif[/]<br /><br />

(ok so my typing skills aren't so hot today.. )<br /><br />Right and wrong.. I already said you didn't have to have cookies.. =) Cookies just ties things together.. it helps.. it makes your information a lot more valueable.. Your shopping habbits on a single site might be worth money, but your shopping habbits across a LOT of sites.. now that is some serious information...<br /><br />What I am saying is that an outside company that provides 'metrics' software to other websites tracks you.. they can track you across multiple sites, and THEY can sell your info..<br /><br />I'm not saying that you go shop at walmart.com and then walmart sells your information.. I'm saying that you go shop at walmart, then 10 other sites.. and the outside company who has their product on all of these sites tracks you..<br />-they- know a lot more about you than any single web site... They know that you like to buy candy from walmart.com, and cars from cars.com and tools from home depot etc etc.. That might not bother -you- personally (I know it doesn't bother me) but it -does- bother some people.. I mean.. that tracking company probably knows more about your shopping habbits than you do...<br /><br />And none of that is made up either.. heh.. the company I use to work for does it.. That's how I know.. They are legit, they don't sell your info, but if they really wanted too......... they could.. period.. if a hacker gets their database they will know A LOT about you..<br /><br />once again.. I am -pro- cookies, but I do understand why people turn them off.... Using them CAN be a security risk, although it's probably not likely for the most part...<br /><br />If all of the web apps on the internet used cookies like w3t does (or did? haven't looked lately) I could go around getting peoples info left and right..<br /><br />It might not be the cookies fault that the information is there, but it IS the cookies fault that I am able to GET that information!!!!!<br /><br />------------------------------------------------<br />Jeremy 'PeelBoy' Amberg<P ID="edit"><FONT SIZE=-1><EM>Edited by PeelBoy on 10/19/00 02:31 PM.</EM></FONT></P>

I agree entirely...except for the last two parts...<br />1) <br /><blockquote><font size=1>In reply to:</font><hr><p><br />once again.. I am -pro- cookies, but I know many many many reasons why they -can- be mad...<br /><p><hr></blockquote><p>Now mad cookies....that is dangerous. []/w3timages/icons/smile.gif[/]<br /><br /><blockquote><font size=1>In reply to:</font><hr><p><br />If all of the web apps on the internet used cookies like w3t does (or did? haven't looked lately) I could go around getting peoples info left and right..<br /><br />It might not be the cookies fault that the information is there, but it IS the cookies fault that I am able to GET that information!!!!!<br /><p><hr></blockquote><p>Even if all sites used cookies the way w3t did before, only the sites that allowed you to post would let you get people's info. Many sites _do_ use cookies this way (login info), but don't let you steal them, since you can't post JS on the pages the user goes to.<br />And it's not the cookie's fault you're able to get that info in the insecure situations...it's the website programmer's fault! []/w3timages/icons/smile.gif[/]<br /><br />

Sorry I just re-read what... *scratches head* I don't know how the hell I messed that up lol... I guess proof reading is a good thing.<br /><br />Here's my points:<br /><br />1. JavaScript isn't the only method to grab cookies..<br />JavaScript is just the 1 method that I found for THIS forum.. Other forums or products will have their problems also I'm sure...<br /><br />2. Cookies can be insecure..<br />Just because it's the programmers fault, doesn't make it any less secure....... Does it? Nope it's not the cookies fault that your un-encrypted password is sitting there in a cookie.... It's the progammer who put it there.. But forget about blame.. it's still there right? And there are still potential ways for somebody to get to that information right???! That is a good enough reason for -some- (not all) people to turn off cookies.. If you want to be as secure as possible (a complete security freak) then turning off cookies is a must...<br /><br /><br />No matter how you look at it, cookies CAN store sensative data that other people CAN get into if they know what they are doing AND the end user doesn't have much to do about it since it is all done behind the scense (little or no user interaction)..... That's a security risk.. Yeah it's a low one for the most part, but it's still a security risk.. So some people disable their cookies for that reason. Other people disable them because they hate being tracked by banner ad companies.<br /><br />------------------------------------------------<br />Jeremy 'PeelBoy' Amberg

Well, I do not really support this session idea.<br />On large boards I don't like it, because it will need tons of Ram.<br /><br />It just work really well with cookies..<br /><br />Benj<br /><br /><br /><br />

Pity you were the one who asked for the "Big Brother" feature - it does tend to weaken your case somewhat. []http://amdragon.com/images/icons/devil.gif[/]<br /><br />[]http://www.amdragon.com/images/eileensig.gif[/]

Just for clarification, sessions do not reside in the server's memory. They are written to a temp directory on the server. When needed they are accessed or updated.<br /><br />---<br />Scream<br /><A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

It's programmers who think "oh.. cookies.. those are secure.. no need to worry about checking them for security" that leave big friggen secuirty gaps in their programs..<br /><br />Cookies aren't secure by default.. You have to write your app to make them that way.. You can't just dismiss them as nothing..<br /><br />Any time you are taking user information and store it some where you should look at the security of it all.. Databases can be just as insecure if your app isn't written right..<br /><br />For example.. you might not strip special chars off a search form and a user could figure out a way to write code that does a select statement on the user_info table and prints it out to the screen... who knows?!?!?!<br /><br />------------------------------------------------<br />Jeremy 'PeelBoy' Amberg

<br /><br />Even when the user IS online ?<br /><br />Benj<br /><br />

Yes, even when they are online. It writes the session info to a file. When you go to the next page and session_start() is called it grabs the info from the file.<br /><br />---<br />Scream<br /><A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

Also, isn't there a higher risk of loosing all user prefs if they are on a server temps dir ?<br /><br />I mean with cookies, each user is responsible for its own settings (cookkie in his browser dir), but with sessions, all is on our server==> higher risk ?<br /><br />Something I don't understand: will the user profile be stored in the session ? Or will we have still the user database+ the sessions ?<br />Are the sessions like cookies, but stored on our server ?<br /><br />I don't get it.<br /><br />Thanks,<br />Benj<br /><br />

Sessions are temporary.. They go away when you close your browser, or when they expire.. They are supposed to be used to pass information from page to page during your current session.. I would think that they are stored in a binary db file on the server, not a text file..(for speed) but I'm probably wrong about that... (it probably depends on what language you are using.. ASP probably handles sessions different than PHP) .. In this case (passing login info) I would say sessions should only be used IF the user does not want to use cookies.. I would hate to have 200 users all having info passed using sessions.. that would slow things way down.<br /><br />------------------------------------------------<br />Jeremy 'PeelBoy' Amberg

Well, if you are on a server that loses files then that would be bad[]/w3timages/icons/wink.gif[/]. But then sessions would be the last of your problems[]/w3timages/icons/laugh.gif[/].<br /><br />Sessions work something like cookies, yes. All user profile info will still be stored in the database, sessions just track you while you visit the site.<br /><br />How it works right now is you log in, and I set a cookie that has your username, encrypted password and language preference on your machine. Each time you request another page I grab this info from your cookie.<br /><br />If you use sessions, in the php version this info is stored in a temporary file on the server. So instead of retreiving the info from your cookie, we grab it from the temp file. <br /><br />There are 2 ways that sessions can work. One, you pass the session id (which points to the temporary file) to each script. Two, you set a cookie with the session id. So, we grab the session id from your cookie, and then grab the other info from the session file.<br /><br />Hopefully that makes some sense. You will be able to choose either method (all cookies, sessions with no cookies, or sessions with cookies) for your users.<br /><br />---<br />Scream<br /><A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

tee hee... []/w3timages/icons/smile.gif[/]<br />But you do that w/o cookies! I think I'll write the Big Brother feature...so there! []/w3timages/icons/tongue.gif[/]<br /><br />