Mikael Grön wrote:
As I said.
Cookies being completely insecure is as valid as Cookies not being as
secure as Sessions.
Sessions are more secure than cookies, but only in so far as the actual
data stored in a session is never sent to the client.
... *sighs*
I'm not sure what that's supposed to mean. This is a serious topic, and
the lack of understanding of it that too many PHP developers suffer from
is part of the reason PHP is getting a bad security reputation.
Though, there are ways to make cookies more secure, for example by
storing copies of them with timestamps in a database and matching values
before allowing users to pass... But that's more or less exactly what
Sessions do, so there's really no use of Cookies for authentication.
There is no real way to make cookies secure. Anything you do needs to be
reversible and so can be brute-forced. The best approach to take IMHO is
to use cookies for session IDs and identification between visits.
*Never* authenticate someone based purely on a cookie, and *never* track
user status in cookies.
Oh, and to correct one other thing, cookies will disappear when you
close the browser if you don't give them an expiry time. This is how the
session ID cookie works.
-Stut
Stut skrev:
Mikael Grön wrote:
You can, only it's not as secure. It's easier to edit cookies since
they're not stored on the server. Also cookies don't disappear when
you close the browser, which is standard on other pages with login
systems. Your users will expect to be logged out when closing the
browser.
"as secure"??? Cookies are not secure at all. There has been a *very*
lengthy discussion of this subject on the PHP-General mailing list.
Search the archives for a recent thread with the subject "Session
Authentication".
-Stut
sam rumaizan skrev:
It is a general question.
Why can't I use cookie instead?
Mikael Grön <php@xxxxxxxx> wrote:
Are you asking someone specifically, or is this a general question?
Here's an example of when sessions are useful:
You have a login area on your website on which users who have
registered can log in to access special content. Only, you want such
a high security on your website so that people shouldn't be able to
simply browse to the hidden files, nor should a user still be logged
in when his friend uses his computer and starts a fresh browser.
Here's where sessions are perfect! You store the userId or similar
information in the session and start every secret page with the
question:
if (!isset($_SESSION['userId']) ||
!CoolCheckUserValidityFunction($_SESSION['userId'])):
header("Location: login.php");
exit;
else:
$GLOBALS[USER] = new User($_SESSION['userId']);
endif;
of course you should not do that check in login.php... :P
Mike
PS: That $GLOBALS[USER] and the User class part is my own stuff..
Dunno if anyone else does stuff like that.. :P
sam rumaizan skrev:
You use a session to store values that are required over the course
of a single visit, and a cookie to store more persistent data that
is used over multiple visits. Session: when you close the browser
the session gets flushed. Which means the browser will not
recognize the user next time he/she browse the page unlike cookie.
So why do I need session? OR maybe I didn’t understand session
---------------------------------
Looking for earth-friendly autos? Browse Top Cars by "Green Rating"
at Yahoo! Autos' Green Center.
---------------------------------
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
