Jump to content

Cookies Vs. Sessions

frijole

By frijole
in PHP Coding Help

 Share

Recommended Posts

dbo Member

dbo

Posted
Posted

Cookies are stored on the client, session are stored on the server.

 

I typically use sessions for most things, because if a client has cookies disabled it then can make your site inaccessible. If you don't mind having cookies as a requirement... go for it.

 

I use cookies for convenience type of stuff. Store a username in a cookie so that it can be prefilled for them, etc. Obviously you don't want to store sensitive data in cookies... at the very least you would want to encrypt it first.

Link to comment
Share on other sites
haku Regular Member

haku

Posted
Posted

cookies reside on the clients machine, and the data can be seen by anyone using that machine. They are not secure, and should only be used for data that doesn't need to be secure, as they don't even need to be hacked - the data is right there for all to see.

 

sessions reside on the server and are more secure. The data inside of them cannot be seen by the user. They are not 100% secure however, so sensitive information shouldn't be stored in them (for example passwords).

 

 

Link to comment
Share on other sites
frijole Regular Member

frijole

Posted
  • Author
Posted

sessions reside on the server and are more secure. The data inside of them cannot be seen by the user. They are not 100% secure however, so sensitive information shouldn't be stored in them (for example passwords).

How would you go about keeping a user logged into a site then? If the password is unsafe?

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

You shouldn't ever store the user's PW in a cookie, encrypted or not.  In the case of a 'Remember Me' function that automatically logs a user in, it would be better to store the username and a unique, site-generated key in the cookie.  This key is attached to the user's record in the database.

 

When anyone visits the site, you check if the username and this key are present in the cookie.  If they are you check if the key matches that in the DB and if it does, log the user in.  This way if someone else uses the machine you don't reveal too much about the previous user if they look at the cookie.

 

Optionally you can encrypt the username and key combination in the cookie for additional security.

Link to comment
Share on other sites
dbo Member

dbo

Posted
Posted

I'm not sure why I'm even responding to this since you are continuing to double post... but oh well.

 

Why would you even need to store a password? You don't. You store a value indicating if they are logged in or not. If this unique identifier is set, you grant access, if it's not then you redirect them to login and give them a chance to login. You would not need to authenticate them on every page.

Link to comment
Share on other sites
haku Regular Member

haku

Posted
Posted

After you have checked their login and password info, store either their username or their user id in a session variable, and check for that each time. There is no need to keep checking the password, its insecure and inefficient.

Link to comment
Share on other sites
peranha Regular Member

peranha

Posted
Posted

After you have checked their login and password info, store either their username or their user id in a session variable, and check for that each time. There is no need to keep checking the password, its insecure and inefficient.

 

Sessions are stored and removed when you restart your browser, so in a session will not work if the user closes the browser.  It has to be stored in a cookie on the users machine.  Store a user name and a unique key is a cookie, and in the database, and check to see if they are set in the cookie, and they are the same.

Link to comment
Share on other sites
frijole Regular Member

frijole

Posted
  • Author
Posted

so in my members  table there would be:

 

username - this

userid

password

uniquekey -  and this could be set in a cookie?

 

and then if the "remember me" checkbox is checked it will set the cookie?

 

so what does the beginning of my frontpage.php file look like in order to check for the cookie?

Link to comment
Share on other sites
rofl90 Advanced Member

rofl90

Posted
Posted

Cookies really aren't that bad if you know how to use them. If you can secure a cookie, I personally believe it can be easier and more efficient. I use cookies for my CMS, and I had a bunch of guys try to break in, and they couldn't.

Link to comment
Share on other sites
haku Regular Member

haku

Posted
Posted
Sessions are stored and removed when you restart your browser, so in a session will not work if the user closes the browser.  It has to be stored in a cookie on the users machine.  Store a user name and a unique key is a cookie, and in the database, and check to see if they are set in the cookie, and they are the same.

 

You are correct about a session not working after closing the browser. But if you want to have a secure system, then you shouldn't store passwords anywhere other than the database. You should require your users to log in each time.

 

You can store passwords in a cookie if you want, but you are basically lowering the security level of your site. If thats not such a big issue, then you have no worries.

Link to comment
Share on other sites
peranha Regular Member

peranha

Posted
Posted

That still doesn't change the fact that any person using that computer can go in and see what that unique key is. Cookies are entirely exposed.

 

Yes, agreed, but for a remember me, you will have to use cookies.  That is if you want the user to stay logged in even if a browser is closed.  That is what I was getting at.

Link to comment
Share on other sites
haku Regular Member

haku

Posted
Posted

Not reliably. You can try logging their IP address, and it may work for a day or two, but most people have dynamic IP addresses these days so it wont work after that. You also run the risk of giving the wrong person access to their account if someone happens to end up with the same IP address coincidentally. Not so likely to happen, but its not impossible by any means.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.