Jump to content


Photo

Should I just use cookies?


  • Please log in to reply
2 replies to this topic

#1 JonathanAnon

JonathanAnon
  • Members
  • PipPip
  • Member
  • 13 posts

Posted 04 April 2006 - 03:32 PM


i have a webpage set up for secure socket layer. I know want to tighten it down by using a password.
I use to use just a login and then set a cookie to say that the user had logged in, then have an isset function on the start of each page.

Is this still the best way to do things or should I use some other method?

#2 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 04 April 2006 - 03:45 PM

I would think that most authentication systems use sessions, but really, there isn't a great deal of difference. As long as your checking the values in the cookie against a database or some other data store on the server.

#3 Jessica

Jessica
  • Staff Alumni
  • This is not my name.
  • 8,982 posts
  • LocationDallas, TX
  • Age:26

Posted 04 April 2006 - 04:40 PM

Use cookies AND sessions to ensure the best security. You have
cookie_username
cookie_userid
cookie_login (username+md5(pw))

session_login
session_username
session_userid

Cookies can be edited, so you always want to make your code refer to the SESSION variables, NOT the cookies. You want to check on each page that the cookie login and username MATCH the session login and username.

If the session doesn't exist, you get the info from the database using the cookie info and set the session.

Otherwise, someone can change their cookie to whatever they want and if you don't verify it against the session, they'll get in.
My goal in replying to posts is to help you become a better programmer, including learning how to debug your own code and research problems. For that reason, rather than posting the solution, I reply with tips and hints on how to find the solution yourself. See below for useful links when you get stuck.

How to Get Good Help: How to Ask Questions | Don't be a help vampire
Debugging Your Code: Debugging your SQL | What does a php function do? | What does a term mean? | Don't see any errors?
Things You Should Do: Normalize Your Data | use print_r() or var_dump()
Lulz: "Functions should not have side effects." - trq

Please take a look at my new PHP/Web Dev blog: The Web Mason - Thanks!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users