Cookies Vs. Sessions

[frijole]

I have been reading about cookies and sessions recently and it seems like they both could be used for many things. I am building a members site with comments etc. What things are better for sessions and what is better for cookies? 

[pocobueno1388]

If your able to use sessions, use them instead of cookies. From my understanding, cookies are more prone to be hacked and changed.

[frijole]

I am building a members site with comments etc. I am now learning how to use cookies and sessions but I am not sure which is good for what and why?

[dbo]

Cookies are stored on the client, session are stored on the server.

 

I typically use sessions for most things, because if a client has cookies disabled it then can make your site inaccessible. If you don't mind having cookies as a requirement... go for it.

 

I use cookies for convenience type of stuff. Store a username in a cookie so that it can be prefilled for them, etc. Obviously you don't want to store sensitive data in cookies... at the very least you would want to encrypt it first.

[haku]

cookies reside on the clients machine, and the data can be seen by anyone using that machine. They are not secure, and should only be used for data that doesn't need to be secure, as they don't even need to be hacked - the data is right there for all to see.

 

sessions reside on the server and are more secure. The data inside of them cannot be seen by the user. They are not 100% secure however, so sensitive information shouldn't be stored in them (for example passwords).

 

 

[dbo]

Don't double post. You posted this same question in the design forum.

[frijole]

sorry about the double post, I wasn't sure which category it should go in. What about when someone chooses to stay logged into a site, isn't the password stored somewhere then?

[frijole]

sessions reside on the server and are more secure. The data inside of them cannot be seen by the user. They are not 100% secure however, so sensitive information shouldn't be stored in them (for example passwords).

How would you go about keeping a user logged into a site then? If the password is unsafe?

[roopurt18]

You shouldn't ever store the user's PW in a cookie, encrypted or not.  In the case of a 'Remember Me' function that automatically logs a user in, it would be better to store the username and a unique, site-generated key in the cookie.  This key is attached to the user's record in the database.

 

When anyone visits the site, you check if the username and this key are present in the cookie.  If they are you check if the key matches that in the DB and if it does, log the user in.  This way if someone else uses the machine you don't reveal too much about the previous user if they look at the cookie.

 

Optionally you can encrypt the username and key combination in the cookie for additional security.

[dbo]

I'm not sure why I'm even responding to this since you are continuing to double post... but oh well.

 

Why would you even need to store a password? You don't. You store a value indicating if they are logged in or not. If this unique identifier is set, you grant access, if it's not then you redirect them to login and give them a chance to login. You would not need to authenticate them on every page.

[haku]

After you have checked their login and password info, store either their username or their user id in a session variable, and check for that each time. There is no need to keep checking the password, its insecure and inefficient.

[peranha]

After you have checked their login and password info, store either their username or their user id in a session variable, and check for that each time. There is no need to keep checking the password, its insecure and inefficient.

 

Sessions are stored and removed when you restart your browser, so in a session will not work if the user closes the browser.  It has to be stored in a cookie on the users machine.  Store a user name and a unique key is a cookie, and in the database, and check to see if they are set in the cookie, and they are the same.

[frijole]

so in my members  table there would be:

 

username - this

userid

password

uniquekey -  and this could be set in a cookie?

 

and then if the "remember me" checkbox is checked it will set the cookie?

 

so what does the beginning of my frontpage.php file look like in order to check for the cookie?

[rofl90]

Cookies really aren't that bad if you know how to use them. If you can secure a cookie, I personally believe it can be easier and more efficient. I use cookies for my CMS, and I had a bunch of guys try to break in, and they couldn't.

[frijole]

how could i secure it?

[haku]

Sessions are stored and removed when you restart your browser, so in a session will not work if the user closes the browser.  It has to be stored in a cookie on the users machine.  Store a user name and a unique key is a cookie, and in the database, and check to see if they are set in the cookie, and they are the same.

 

You are correct about a session not working after closing the browser. But if you want to have a secure system, then you shouldn't store passwords anywhere other than the database. You should require your users to log in each time.

 

You can store passwords in a cookie if you want, but you are basically lowering the security level of your site. If thats not such a big issue, then you have no worries.

[peranha]

That is why I said store a unique key and the username, or something else.

 

Store a user name and a unique key is a cookie, and in the database, and check to see if they are set in the cookie, and they are the same.

 

[haku]

That still doesn't change the fact that any person using that computer can go in and see what that unique key is. Cookies are entirely exposed.

[peranha]

That still doesn't change the fact that any person using that computer can go in and see what that unique key is. Cookies are entirely exposed.

 

Yes, agreed, but for a remember me, you will have to use cookies.  That is if you want the user to stay logged in even if a browser is closed.  That is what I was getting at.

[ohdang888]

hey, i'm building the same thing.

 

I use sessions, and have found them to be an extremely useful tool.

[frijole]

is there  any way to do a "remember me" without using cookies?

[haku]

Not reliably. You can try logging their IP address, and it may work for a day or two, but most people have dynamic IP addresses these days so it wont work after that. You also run the risk of giving the wrong person access to their account if someone happens to end up with the same IP address coincidentally. Not so likely to happen, but its not impossible by any means.