PHP replacing $_SESSION with $_COOKIE syntax differences

Question

New to PHP Sessions and Cookies.

I have an old login script that I'm trying to upgrade to work with a new cross sub-domain feature. It was all written with $_SESSION instead of $_COOKIE. (From what I've ready, anything set to a SESSION var doesn't carry over cross domain, even after I've set the cookie params for the entire domain and root directory).

If I do a Search and Replace for $_SESSION and change it to $_COOKIE, am I going to have to make a lot of syntax changes, or do mostly operate the same way?

Answer 1

That is in general a very bad idea. Using cookies for all session related data means that you maybe publish internal data. So you would make it for an attacker quiet easy to get admin rights if you would habe a cookie isAdmin=false. Also all Cookies are transmitted on every request, which also causes more traffic.

Please note also that cookies are set with the function setcookie(). $_COOKIE is normally read only.

Answer 2

$_SESSION can be used to read and write session data. $_COOKIE is used to read.

A potential problem with setting cookies is that they must be set using setcookie before any browser output... this may break your code if $_SESSION is being used to write session data during or after page rendering (because session data can be set at any time).

Cross domain sessions would be a security vulnerability, and from the sounds of it, crossdomain cookies when dealing with user credentials.