Posted by David Haynes on 03/01/06 18:56

julian_m wrote:
> i'm finishing my 2nd php project. It's a sort of catalog and I used
> css/mysql as well. All the functionality of the site is mainly beacause
> the great number of arguments I pass to every page on the address bar.
> For example
> *number of items to display
> *categories
> *brands
> *user_id
> *price interval
> *...
> *...
> Note that the arguments aren't editable, beacause I've implemented a
> sort of extra verifier argument which works quite well
>
> The question is:
> In order to achieve a good design and therefore a good product, should
> I have to use session variables instead, or is it just a way to do the
> same?
>
> I would like to begin my next project with the right choice...
>
> regards - jm
>
Sessions, when they are used this way, implement another level of
'security through obscurity'. That is they make it just a little bit
harder to see what data is being passed back and forth. If you are not
using cookie-based sessions, the obscurity factor goes up again.

Sessions also prevent the issue of cutting and pasting the URL into a)
multiple browsers or b) as bookmarks. While you can detect edits to your
argument data, can you detect replays? If not, you may have an issue.

I try to hide as much information from the browser as I can simply
because what they can't see, they can't futz around with ;-)

-david-

[Back to original message]