Web Application Concepts-website
authentication, and usability form the base of every
Web application. Web applications aren't possible
without proper session management. You have to
find a way to recognize users during multiple page
requests if you want to associate variables like a
shopping cart with one specific user. And this
identification had better be secure if you don't want
to have one user seeing another's credit card information.
Indeed, special considerations are necessary for improving
security in your applications. Even if PHP is less prone to
crackers' attacks than other CGI environments, it's easy
to write totally exposed applications.
You lose control over the data—as long as the user doesn't return to your site, you can't access the data. And worse, that data may be manipulated when you get it back. Ninety percent of all Web site defacing and breakings come from applications accepting tampered data from the client side and trusting that data. Do not keep data on the client. Do not trust data from the client.
If you use GET/POST, the storage isn't persistent across sessions.
If you rely exclusively on cookies, you have a problem because some users won't accept cookies—they simply disable cookies in their browsers.
The data is hard to maintain because you need to save all data on every page. Each variable needs to be URL-encoded, added to a form as a hidden field or added to the URL, or saved as a cookie. This is difficult for a single variable such as the session ID, let alone dozens of variables!
Thus, the data needs to be stored on the server. Where exactly you store it isn't all that important; it can be in a relational database management system (RDBMS), plaintext file, dBASE file, etc. Because a Web application generally already uses a relational database such as MySQL, this should be the preferred storage medium.
To associate the data with a user, you need a session identity number— a key that ties the user to his data.