hi everyone...
i'm a newbie in php programming,while browsing my book about cookies and sessions, it says there that using session is more secure than using cookie, but sessions rely on cookie by default. then it says that sessions can be used without a cookie, and it also says (in the book) that doing so (using sessions without cookie) is less secure. now i'm really confused. in the forum, i ask somebody to pick a preference between cookies and sessions, just 1, some in the forum says it is sessions they prefer. so why choose sessions alone if it is less secure? is it the book that lack some information?im really confused right now and ask somebody or everybody to interact in this thread.
thanks in advance
pleigh
i'm really confused now...cookies and session
Moderator: General Moderators
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
the session cookie is literally only an ID number, that's it. Most often, they are set to destroy themselves if the browser closes.
where as a cookie can be anything, and is most often not destroyed by the browser closing.
the data associated with a session id is stored solely on the server(s) providing content for that domain.
Cookies reside on the user's computer, and can be accessed by anthing with their userlevel or higher, typically.
where as a cookie can be anything, and is most often not destroyed by the browser closing.
the data associated with a session id is stored solely on the server(s) providing content for that domain.
Cookies reside on the user's computer, and can be accessed by anthing with their userlevel or higher, typically.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
sessions... or stong encrypted cookies.
at any rate, if you have a site where high security is needed, or it's often used on public machines, I'd first use sessions, but also require the person to input their password to change anything that may be dangerous to change.. like their email address or password (but that should be obvious)
at any rate, if you have a site where high security is needed, or it's often used on public machines, I'd first use sessions, but also require the person to input their password to change anything that may be dangerous to change.. like their email address or password (but that should be obvious)
The important part is this: If your site relies on sessions you need to adapt a technique for people that turned cookies off. This can be done by using the session_id as part of the URL. This however is the possible security problem you have heard of. As a user visits another site after yours the session part is saved in the other sites referrer log as it is part of the URL.
If you securitywise rely on sessions just make sure that a session is invalid after a certain period without only relying on the php garbage collection.
If you securitywise rely on sessions just make sure that a session is invalid after a certain period without only relying on the php garbage collection.