sesions tai cookies

[uncleronin]

Argh! I'm in a fix - I don't know whether to use sessions or cookies! Okay, so in general they both accomplish the same goal but one is more private than the other, they are both equally flexible, the one makes fugly querystrings, the one requires encryption... *shudders* What the hell! I've read so much crap about each that it really is a problem. There are still some people who believe cookies can execute code on your PC and there are some (like myself until a moment ago) who believe that sessions always reside on the server until they expire rather than just expiring when the browser closes  :-X (How does that work by the way?)

 

Sooooo, what I wanna find out from you guys is which i should use (or both)? I have a bunch of pages that I want to restrict access to. You MUST be logged in to view these pages. When you log out you CANNOT view these pages, you can't use the back/forward button or any other funny tactic to view a restricted page. NO personal information is kept about the user other than their user id and auth level (which is used to dynamically build the navigation menu and page content).

 

At the moment I'm using cookies and it works fine BUT if anyone with half a brain looks at the cookies they can figure out how to manipulate the auth level to gain access to restricted pages. The user id is only used to customize page content.

 

Would it be best to use sessions and hide everything from the user or to implement basic encryption on the cookies that are visible?

 

(Please, no 'use sessions because they are the best' or 'sessions are crap, use cookies'. That would be a retarded reply and i would have to point my finger at you and call you stupid)

[Caesar]

Whether you use cookies or sessions....or even both (prefered by me for diferent reasons, and depending on the project) you should validate a user's level if the content displayed depends on it.

[roopurt18]

Use sessions because they are better suited for what you want to do and easier to manipulate.  Reserve cookies for when you want to save information between browser sessions, such as to provide automatic login on the next visit to the page (but of course, don't save the users login information in the cookie).

[uncleronin]

*nods* I guess cookies dont really make sense in this instance then. I'm definitely not gonna allow any sort of 'Remember me on this computer' stuff.

 

@Caesar: At the moment, when a user logs in I get their auth level through querying a db. I then use that to build my pages and navigation menu. Is this the correct way to do things or is there some other means of validation I must use? (Something like querying the db everytime a page is visited to make sure that the userid and auth level match? *gonna do that now actually*)

 

@roopurt18: How else would you enable an automatic login without storing the user's login info? Just dump a random string and then use the string to query the db for the user's info?

[roopurt18]

"(Something like querying the db everytime a page is visited to make sure that the userid and auth level match? *gonna do that now actually*)"

^ Good idea.

 

 

I'd create a unique hash when a user logs in and store that in their row of the users table.  Then in the auto-login cookie I'd store the username and the unique hash.  That way, the person who has the cookie can only log in as themselves.