Posted by Jon on 11/18/93 11:43

All,

I have a question regarding the usage of sessions and cookies. I'm still a
fairly new developer, but have built quite a few login-driven applications
using MySQL for the backend and PHP for the front end.

When I have a login, I generally do the standard algorithm - Check the DB
for a matching UN/PW, set a session variable as true (or jsut set the
username as a session var) and then check on if the session['username'] var
is set. If it's set, they're logged in, if it's not they're not and I
redirect back to login.

My question has come up recently as I've seen many PHP developers using
setcookie() and running their code off of this. I'm using the following
method if there has been a matching un/pw combination found in the DB:

if($totalRows != 0){
$_SESSION['username'] = $row['usernameFromDB'];
}

Then, in my include file to check, I'll say something like:

if(!isset($_SESSION['username'])){
header("Location: login.php");
}

What's the difference here between the calling of cookies, or just using the
$_SESSION variable. Is there a flaw in my login systems here that I may want
to rethink? Thanks in advance.

[Back to original message]