0

Since I am building a simple game I need users to stay loged in even when they leave. For security reasons it would be best to store cookies on my own server so the users can't change them. Is this possible?

I store everything in session variables, if the user is in fight, if the user is doing something time consuming etc. They can't access other points on my site until they finish with the previous task! That is why I need this information stored in my session cookies!

If this is not possible I guess I will just have to store such things in my database but that would be a lot of extra database manipulation on my hands...

Also can I even save such data in a cookie so that when user leaves and comes back, the session will still have the variables set to previous data?

Matic
  • 39
  • 1
  • 6

4 Answers4

5

Cookies, by definition, are client side. So, to answer your question at face value, you can't store them on the server.

However, you can store session information on the server. And if you need it to persist for longer than the typical session, a database (I'm afraid) is going to be the best option.

Brad Christie
  • 100,477
  • 16
  • 156
  • 200
  • Typical session only keeps data in it for so long as the script is active? Once the user leaves there is no other way than a database? – Matic Aug 06 '13 at 12:25
  • 1
    For more persisted storage, no. A database would be your best bet; then you'd have to create a method of retrieving the specific user's session back based on their login. – Brad Christie Aug 06 '13 at 12:27
  • is it possible to retireve old session data? like storing it in the database or something? Or would it be better to just store the fight and current actions in a database and just retrieve those – Matic Aug 06 '13 at 12:35
  • @Matic: That's up to how you implement it. I don't know enough about your site, but store the least amount of information necessary to pick up where the user left off. Based on what's in the database the next login, you should be able to take that information and recompile the user's previous session as if s/he never left. – Brad Christie Aug 06 '13 at 12:37
  • Thank you for your answers! Isn't storing session variables in database the same as storing normal variable data though? – Matic Aug 06 '13 at 17:28
  • @Matic: Yes and no. It really depends on what you need stored. Just like you don't store usernames and passwords in session, you use a database. the same mentality can be applied to additional information you need stored on a more permanent basis. – Brad Christie Aug 06 '13 at 17:46
  • Can you give an example when it would be a good idea to store session to a database? – Matic Aug 06 '13 at 17:50
  • 1
    @Matic: Anything you feel is important enough to perpetuate over long durations of inactivity should be stored in the database. Or, something that may be convenient to store between the user jumping computers would also be a good. – Brad Christie Aug 06 '13 at 18:39
1

This is not possible. The idea of session cookies is to set a unique session id in the browser to identify him in the backend, where you store your session data (like the variables you mentioned). See this stackoverflow question for some of the basics of that.

UPDATE: regarding "How long is the data stored in the Session?"

This is on you. You set a session timeout by your needs, after which the session is destroyed. Typically this could be everything between a few minuted and 30 days. After this period you didn't see the user with a specific session id, the session will be deleted. If the user returns, the time till session expires starts again at zero.

Community
  • 1
  • 1
morten.c
  • 3,414
  • 5
  • 40
  • 45
  • but for how long is this data saved in the session? – Matic Aug 06 '13 at 12:28
  • are there any downsides for lets say storing a session for 14 days or would it be better to store the session in a database if that is possible – Matic Aug 06 '13 at 17:07
  • You didn't really try to understand the answers you've got, or do you? You should read some basic stuff about sessions and cookies. And read the answer of "Your Common Sense" twice, because I'm not sure, if this is what you want, too. – morten.c Aug 06 '13 at 17:16
  • Oh sorry I see it now, you already answered "If the user returns, the time till session expires starts again at zero". So my only bet is database. I assume when browser exits the session is terminated – Matic Aug 06 '13 at 17:26
0

If the user hasn't cleared their cookies and they haven't expired , the session will pickup where you left it (also assuming no cleanup of sessions in /tmp). Otherwise it was never meant to be. They've moved on. They've changed, can't you?

Anthony
  • 36,459
  • 25
  • 97
  • 163
  • I guess this is not the right aproach then, I don't want users to clean their cookies and when they visit the page everything will be gone for them – Matic Aug 06 '13 at 12:26
  • @Matic fortunately, users have a free will [yet] on the matter. – Your Common Sense Aug 06 '13 at 12:30
  • Can't stop users from clearing cookies. It would be incredibly creepy if you tried. They clear them so you will forget them, so showing you haven't will result in me burning anything in history pointing to your site. – Anthony Aug 06 '13 at 12:30
0

Since I am building a simple game I need users to stay logged in even when they leave

I see no logic in this statement.
If a user leaves, then there is no session exists.

You are probably need something else.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345