For example, I've read that sessions are easy to use, but that if the session ID is leaked then anyone can assume the identity of that session holder.
Then there are cookies, and for some reason I dont see any reference anywhere to security issues with cookies, which is odd to my mind, as the whole session ID problem appears to relate to the value stored inside the session cookie anyhow.
So lets just say that someone is monitoring my website traffic (one of the vulnerabilities listed under sessions) then arent they also going to see any info I have in a cookie? And even if I then encrypt that info, cant they just send the info raw and let the server react the way it would for the real cookie holder?
It's all pretty confusing to my mind, especially as I like the idea of using sessions for tracking info during a visit, but I like the idea of using cookies to hold the information to allow automatic login for x amount of days.
Can anyone shed any light on any of this for me? Thanks