i'm really confused now...cookies and session

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

i'm really confused now...cookies and session

Post by pleigh »

hi everyone...

i'm a newbie in php programming,while browsing my book about cookies and sessions, it says there that using session is more secure than using cookie, but sessions rely on cookie by default. then it says that sessions can be used without a cookie, and it also says (in the book) that doing so (using sessions without cookie) is less secure. now i'm really confused. in the forum, i ask somebody to pick a preference between cookies and sessions, just 1, some in the forum says it is sessions they prefer. so why choose sessions alone if it is less secure? is it the book that lack some information?im really confused right now and ask somebody or everybody to interact in this thread.

thanks in advance

pleigh
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the session cookie is literally only an ID number, that's it. Most often, they are set to destroy themselves if the browser closes.

where as a cookie can be anything, and is most often not destroyed by the browser closing.

the data associated with a session id is stored solely on the server(s) providing content for that domain.

Cookies reside on the user's computer, and can be accessed by anthing with their userlevel or higher, typically.
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

Post by pleigh »

thanks feyd

what do you recommend? securitywise, sessions or cookies?this is for example in a login page..

thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

sessions... or stong encrypted cookies.

at any rate, if you have a site where high security is needed, or it's often used on public machines, I'd first use sessions, but also require the person to input their password to change anything that may be dangerous to change.. like their email address or password (but that should be obvious)
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

The important part is this: If your site relies on sessions you need to adapt a technique for people that turned cookies off. This can be done by using the session_id as part of the URL. This however is the possible security problem you have heard of. As a user visits another site after yours the session part is saved in the other sites referrer log as it is part of the URL.
If you securitywise rely on sessions just make sure that a session is invalid after a certain period without only relying on the php garbage collection.
Post Reply