I'm pretty new to PHP and am experimenting with cookies and sessions.
So, in IE, if I set my Privacy settings to Block All Cookies, obviously all cookies will be blocked but what about sessions?
I ask because I am under the impression that if cookies are blocked but I start a session, the session should be valid. In other words, whatever I set for the session variable should stick with the browser for as long as the browser is open but this does not seem to be happening.
My whole thought process behind this is that I could use a cookie as my first means of tracking and in addition to setting the cookie I could also set a session in case cookies are disabled.
So question 1 - Why is my session variable getting blocked? Is that suppose to happen? question 2 - Is it good practice to set both a cookie and a session (in case the cookie is blocked)?
Sessions are for the most part, just an identifier linked to a data set, per user.
This identifier is almost always stored as a cookie. If cookies are disabled, so are session cookies, so are sessions. The way round this is to include the session ID in every URL, and then pick it out and use it to initialise the session (ie. use the ID to find the stored session data).
PHP can automatically add the session ID to relative URIs, it depends on configuration options though. See "Passing the Session ID" in the manual. (Pay particular attention to this comment.)
Although sessions are stored server side, the server still needs to keep track of where the request is coming from. In order to do this, sessions store a unique ID in a cookie on your computer. The difference between doing this and simply setting cookies is that the latter contains the information itself, whereas a session cookie is only used to identify your requests. Therefore, disabling cookies will prevent this from happening and so your session variables may not be maintained.
You can have cookieless sessions, which usually simply append your unique ID to each URL request you send (so your URL will have a bunch of seemingly random alphanumeric characters). I'm not sure if PHP supports this method out the box.
Cookies should be used whenever the information isn't too sensitive, or if you want them to stay on the user's computer for a long period of time. Sessions are more secure, even though cookies can be encrypted, since the data is stored server side. Deciding which one to use depends on your requirements as each have their pros and cons.