On Thu, 2010-07-08 at 09:53 -0700, Michael Calkins wrote: > I right now have a complete user login and registration system however it uses cookies when you login to store information. Is this a bad thing?$_COOKIE vs $_SESSION for login systems > > From,Michael Calkinsmichaelcalkins@xxxxxxxxxxxxxxxxxxxx > > > _________________________________________________________________ > The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. > http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4 VERY bad idea! :p Basically, cookies should only be used to store general non-personal information. Sessions are for anything that you want to keep out of prying eyes. The reason being is that cookies are just plain text files on the client machine, and can effectively be read by another program or person very easily. Sessions make use of cookies to store the session_id whilst a user is logged in, but you should destroy the session after you no-longer need it to remove the chance of someone getting hold of it and spoofing a request to your server. This can be done by destroying the session when a user logs out and setting a default timeout on a session. Sessions are easier to use I've found than cookies. You can add information to the session and read it right back without need the clients browser to make a new request to your server with the updated cookie in the header. You can store far more information in a session (exactly how much more depends on your server setup obviously) and in a much more logical manner than a cookie. This is not to say that cookies don't have their uses, but I think for a login system they introduce potential security issues which can be exploited. Thanks, Ash http://www.ashleysheridan.co.uk
