I have been struggling for a while on how to share information stored in $_SESSION in order to avoid pop up issues with IE and etc. I would really like some insight into how to deal more gracefully with cookies, from someone who uses them more often than i.

Basically all I want to do is populate the session data into the cookie. Here is an example of code that would be nice to work:


For whatever reason, setting the cookies on the same script the session is being set from POST is not working properly either ... but I would be happy to employ another similar method.

The only cookie that is working is the one to identify the session ... erg

You shouldn't do this, it's totally unsafe to store data from sessions in cookies. That's why there are sessions so you can store data the client shouldn't see.

Fair enough, although for this particular application, security is not a real issue.

The problem is that sessions aren't persistent through page loads due to having a load balanced server. There is also the issue of pop ups killing the session in IE. I am trying to work out a two birds, one stone approach ;(

Do you know of any workarounds for this that don't involve using cookies? I certainly prefer sessions all things equal. But I certainly can't be having a user authenticate on each new page ...

Never ever store their password in a public location. It's perfectly safe to store other session data in a cookie, so long as the authentication doesn't take place directly from the cookie to the application.

Just out of curiousity, what is this about popups in IE killing sessions?
-m

Thanks for all your input so far ... again security for this particular bit of code is not an issue, I just want to figure out why setting cookies isn't working ...

The IE issue is pretty well known, I run into it mostly when spawning pop ups (to input data etc.). There is a lot of information about it here.

Never heard of it till now, but as for your cookie problem, have you tried setting your own expiration on them? According to the manual;

If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes).

So perhaps you're running into a situation where the cookie is expiring before the browser is closing, for whatever reason. Try the following perhaps;

Which will set them to expire in two weeks time (you can change this to anything you wish).
-m

Setting session variables then setting cookies with the data from the sessions breaks the whole concept of sessions and as people have said, potentially causes a security issue.

For a load balanced server setup you may be interested in using the DB to store session information with:
session_set_save_handler


That way the sessions are no longer stored on the server but in the DB (which should be central and available to all boxes) therefore they exist to all servers on the load balancer (in theory)

__________________

@sketchMedia
I have been working on a login system here, and this will suit my needs well. I had never thought to look for something like it. I was coding my own solution, but this will make things a lot easier. Thanks!

__________________
-- Bill
"Why is it drug addicts and computer aficionados are both called users?" -Clifford Stoll

no probs m8, glad to help.

__________________