I'm making a secure login-system and I don't know much about either, but I'd like to know: What should I use - sessions or cookies?
0
Sessions or cookies
Started by Indigo, Sep 11 2007 05:47 AM
3 replies to this topic
#1
-
- Members
-
- 617 posts
Official Alien
- Gender:Male
- Location:Trondheim, Norway
- Interests:Computing in general, especially design and programming of all kinds.
Posted 11 September 2007 - 05:47 AM
#2 _*Creative Insanity_*
-
- Guests
Posted 11 September 2007 - 06:12 AM
Myself I use sessions and they seem to do the trick. But cookies are also good if you want things like auto login.
#3
-
- Members
-
- 114 posts
Young Padawan
- Gender:Male
- Location:Leeds, UK
Posted 11 September 2007 - 01:02 PM
I use sessions to store info into the database, but use cookies for stuff like the member's username and ID, and I also have a random ID, but that's just for security. Also using cookies means I can keep my user's logged in until they delete the cookie, or until it expires, though I have it set for a year.
#4
-
- Members
-
- 970 posts
P2L Jedi
- Gender:Male
- Location:A strange world where water falls out of the sky... for no reason.
- Interests:Graphic Design, Coding, Splinter Cell, Cats
Posted 11 September 2007 - 06:17 PM
You should do your research instead of sparking a common debate here.
Look up the pages on using sessions and cookies on PHP.net.
Generally, the rule-of-thumb is to use both, because they both have different pros and cons.
Sessions are more or less safer, in the case that they aren't as easy to be manipulated by a user.
The problem is, that it is possible for a session to be hijacked, thus opening alot of problems.
Cookies are more a convenience, as they allow a browser to give the server the login information, even on a different session. Problem is, cookies are completely editable by the user, plus the main fact that not everyone accepts cookies; some browsers might not support them, some people have them turned off out of paranoia.
So basically, store anything really sensitive on a session (and protect that session: read more about how to double-check sessions with hidden fields and such, comparing IPs, etc), and anything minor and minimal, like a user ID, maybe a hashed password, in cookies as a convenience factor; keep everything encrypted and/or hashed though, and be sure to validate and clean it when using it as input in every case.
Look up the pages on using sessions and cookies on PHP.net.
Generally, the rule-of-thumb is to use both, because they both have different pros and cons.
Sessions are more or less safer, in the case that they aren't as easy to be manipulated by a user.
The problem is, that it is possible for a session to be hijacked, thus opening alot of problems.
Cookies are more a convenience, as they allow a browser to give the server the login information, even on a different session. Problem is, cookies are completely editable by the user, plus the main fact that not everyone accepts cookies; some browsers might not support them, some people have them turned off out of paranoia.
So basically, store anything really sensitive on a session (and protect that session: read more about how to double-check sessions with hidden fields and such, comparing IPs, etc), and anything minor and minimal, like a user ID, maybe a hashed password, in cookies as a convenience factor; keep everything encrypted and/or hashed though, and be sure to validate and clean it when using it as input in every case.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
