RE: Authentication Question!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Gustav,

Your statements are not entirely accurate, Cookies are stored IN files on
the client HD and can be stored there for a while, they don't do anything to
cause unspecified files to be stored as you seem to say.

PHP sessions employ a cookie to store the session key, which is tranmitted
with other data from the browser to the server, everytime a page from your
domain is requested.  At one time, not sure it still does, PHP used to add
the key to the URL in the event that cookies were disabled by the visitor.
Sessions allow you to store data on the server, and not send it to the
browser, and have that same data available with each page request.  If this
is sensitive data, like a customers identity, that is a good thing, sending
that information back and forth across the internet (as would be the case if
stored in a cookie) provides opportunities for sniffer to capture it.

If you use cookies for storing data on the visitors computer you might want
to consider encrypting the data, since it would be availabe to anyone who
gained access to his computer.  When you use PHP sessions, by default the
only thing stored on the visitors computer is the session key, but of
course, you are free to send other cookies.  The data elements you store in
a session are actually stored on your server where you can protect them, and
make the data persist at least as long as the session remains.  

A good way to learn about PHP session is to write database Session handler
routines and track how they are used, pay close attention to the garbage
cleanup routine which destroys old sessions.  You will have to write a set
of these routines if you have a high volume site with a load balancer in
front of your web server, because if you use the file storage technique that
comes with PHP, you may wind up storing your session data on one server and
with the next request the visitor could be directed to a different server
(you get the idea).

Probably more than you wanted to know,

Warren Vail

-----Original Message-----
From: Gustav Wiberg [mailto:gustav@xxxxxx] 
Sent: Tuesday, October 09, 2007 11:23 PM
To: 'Matthew Gonzales'; 'PHP-Windows Group'
Subject: RE:  Authentication Question!

Hi!

For higher security it's generally better to use Sessions BECAUSE Cookies
generally stores files on the client hd for a longer time, and it's
therefore easier to get the password (if the password itself is not
encrypted). My tip is to use sessions if it works. Uses cookies in other
hand (It depends of the application what you need)

Best regards
/Gustav Wiberg
 

-----Original Message-----
From: Matthew Gonzales [mailto:matt323@xxxxxxx]
Sent: Tuesday, October 09, 2007 8:23 PM
To: PHP-Windows Group
Subject:  Authentication Question!

Hello,

Could some one offer their opinion one which is better to use when creating
a password protected area, a $Cookie or a $Session. I have found alot of
info on both and can't really make up my mind. I am running PHP and MySQL on
IIS 6.0.

Matt G

--
Matthew Gonzales
IT Professional Specialist
Enterprise Information Technology Services University of Georgia
Email: matt323@xxxxxxx <mailto:matt323@xxxxxxx>
Phone: (706)542-9538

--
PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.488 / Virus Database: 269.14.5/1058 - Release Date: 2007-10-08
16:54
 

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [PHP Database Programming]     [PHP Install]     [Kernel Newbies]     [Yosemite Forum]     [PHP Books]

  Powered by Linux