> > I'm quite new to web2py and a noob at it. I've been struggling with the > difference between cookies and sessions. For what I've read the main > difference is that you store cookies on the clients side and sessions on > the server side
Yes, cookies are sent back and forth between the server and the client. You create a cookie on the server and it gets sent to the client. The client will then send it back with every request (until it expires). Although sessions are stored on the server (in files by default, though they can also be stored in the database), cookies are also involved in the implementation of sessions. In order to associate a particular server-side session with a particular client, a session cookie is passed between the client and server with a unique key that identifies the session on the server. > also that cookies expire and sessions get erased when you close the > browser! Technically, the server-side session does not get erased when you close the browser (though you can explicitly clean up old session files using a script like this one: http://code.google.com/p/web2py/source/browse/scripts/sessions2trash.py). However, the session cookie on the browser does get deleted by the browser when you close the browser. Any cookie that does not have an expiration set is considered a session cookie by the browser and deleted when the browser quits. As a result, even though the old session file may remain on the server, it is no longer accessible once the associated cookie is no longer being sent back by the browser. > But I have plenty of questions about them and how to use them(in web2py) > > *1. What can you store in them? * > *I've seen till now that you can store a dict and lists > in a session, and I'm having trouble using cookies but I guess text is the > only thing you can store... * > Technically, text is the only thing you can store in either, but non-string objects can be pickled and unpickled for storage in both sessions and cookies. So, you should be able to store dicts and lists in sessions and cookies -- web2py will handle the pickling and unpickling. More complex objects cannot be stored unless you define special pickling and unpickling functions for them (which is the case for Row and Rows objects, for example). > * > * > *2. When are they deleted?* > *According to what I googled cookies expire after a > certain time(I've seen you can set this in w2p) and sessions are deleted > when you exit the browser* > Answered above. > ** > *3. Could you use cookies as temporary DB?* > * **If I'm right and can only store text I guess this > would be complicated, but then the question is if you can modify the > expiring time so it never expires unless the user deletes it? * > * I mean you could use it to store user statistics for > example? This is one of the things I want to implement but having trouble > doing it. Let me show you what I'm trying * > * > * > *I first do this ** > def cookieCreate(): > > response.cookies['cookie_test'] = 1 > response.cookies['cookie_test']['expires'] = 24 * 3600 > response.cookies['cookie_test']['path'] = '/' > then* > * > if request.cookies.has_key('cookie_test'): > value = request.cookies['cookie_test'].value > response.cookies['cookie_prueba'] = str( 1 + int(value)) > #Shouldn't this update the cookie on the clients side? > else: > cookieCreate() > As you can see, I want to implement a sort of counter that doesn't get > deleted to develop some statistics later(how many games he played for > example), and don't want to have a DB yet ( I want to learn how to work > with cookies)* > Yes, the above should work, though I notice your last line references 'cookie_prueba' -- perhaps you meant that to be 'cookie_test' (so it will increment the value of 'cookie_test' on each request). Try response.flash = response.cookies['cookie_test'].value, and on each page refresh you should see the flash message increment by one. * > * > *4. Where are they stored?* > * ** I imagine cookies are stored where the browser > decides, then why the "path"? * > The "path" attribute tells the browser with which URL requests to send the cookie -- it refers to the URL path (i.e., the part of the URL after the domain). Setting the path to "/" tells the browser to send the cookie to all URLs within the domain (i.e., all paths). See http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path. > *and while session exists where are they stored?* > By default in /applications/yourapp/sessions, but you can also store them in the database. See http://web2py.com/books/default/chapter/29/4#session. > * > * > *5. Can you store a cookie in a session and viceversa?* > I suppose you could read the value of a cookie and then store it in the session (not sure why). You could also effectively store session data in a cookie (instead of using the server-side session). You would do that by creating your own cookie without an expiration (which makes it a session cookie) -- in this case, you would not be using the web2py session functionality. The problem is that it's not secure -- either the user or an attacker could tamper with the contents of the cookie before sending it back. There are ways to make cookie based sessions secure via encryption, but web2py doesn't include any cookie based session functionality. If you happen to be storing large amounts of data in the session, cookie based sessions may not be ideal because you'll be passing all the data back and forth over the wire on every request. > * > * > *6. If sessions have to somehow be stored at the server how do you know > which one belongs to whom? Is the a unique id? * > * > * > Answered above. Yes, a unique ID is generated. Anthony
