Re: So why do I need session?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mikael Grön wrote:
As I said.
Cookies being completely insecure is as valid as Cookies not being as secure as Sessions.

Sessions are more secure than cookies, but only in so far as the actual data stored in a session is never sent to the client.

... *sighs*

I'm not sure what that's supposed to mean. This is a serious topic, and the lack of understanding of it that too many PHP developers suffer from is part of the reason PHP is getting a bad security reputation.

Though, there are ways to make cookies more secure, for example by storing copies of them with timestamps in a database and matching values before allowing users to pass... But that's more or less exactly what Sessions do, so there's really no use of Cookies for authentication.

There is no real way to make cookies secure. Anything you do needs to be reversible and so can be brute-forced. The best approach to take IMHO is to use cookies for session IDs and identification between visits. *Never* authenticate someone based purely on a cookie, and *never* track user status in cookies.

Oh, and to correct one other thing, cookies will disappear when you close the browser if you don't give them an expiry time. This is how the session ID cookie works.

-Stut

Stut skrev:
Mikael Grön wrote:
You can, only it's not as secure. It's easier to edit cookies since they're not stored on the server. Also cookies don't disappear when you close the browser, which is standard on other pages with login systems. Your users will expect to be logged out when closing the browser.

"as secure"??? Cookies are not secure at all. There has been a *very* lengthy discussion of this subject on the PHP-General mailing list. Search the archives for a recent thread with the subject "Session Authentication".

-Stut

sam rumaizan skrev:
It is a general question.
  Why can't I use cookie instead?
  Mikael Grön <php@xxxxxxxx> wrote:
  Are you asking someone specifically, or is this a general question?

Here's an example of when sessions are useful:
You have a login area on your website on which users who have registered can log in to access special content. Only, you want such a high security on your website so that people shouldn't be able to simply browse to the hidden files, nor should a user still be logged in when his friend uses his computer and starts a fresh browser. Here's where sessions are perfect! You store the userId or similar information in the session and start every secret page with the question:

if (!isset($_SESSION['userId']) || !CoolCheckUserValidityFunction($_SESSION['userId'])):
header("Location: login.php");
exit;
else:
$GLOBALS[USER] = new User($_SESSION['userId']);
endif;

of course you should not do that check in login.php... :P

Mike

PS: That $GLOBALS[USER] and the User class part is my own stuff.. Dunno if anyone else does stuff like that.. :P


sam rumaizan skrev:
You use a session to store values that are required over the course of a single visit, and a cookie to store more persistent data that is used over multiple visits. Session: when you close the browser the session gets flushed. Which means the browser will not recognize the user next time he/she browse the page unlike cookie.

So why do I need session? OR maybe I didn’t understand session






---------------------------------
Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.





       ---------------------------------
The fish are biting.
 Get more visitors on your site using Yahoo! Search Marketing.




--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [PHP Database Programming]     [PHP Install]     [Kernel Newbies]     [Yosemite Forum]     [PHP Books]

  Powered by Linux