I always put punctuation in my passwords to make them harder for people to guess. Looks like your website will be broken for me then.kaisellgren wrote:means that I check first for allowed chars a-z,0-9 and _ then I chekcthat lenght is between 4 and 16. then lastly ill addslashes(). Clear now?
Cookies or Sessions?
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
punctuations like what? You mean - . ( / & etc?onion2k wrote:I always put punctuation in my passwords to make them harder for people to guess. Looks like your website will be broken for me then.kaisellgren wrote:means that I check first for allowed chars a-z,0-9 and _ then I chekcthat lenght is between 4 and 16. then lastly ill addslashes(). Clear now?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
To the original poster:
When you ask which is better, sessions or cookies, what is your intended purpose when using either of these? The better of the two will depend on which suits the needs of your purpose best.
To those that are posting that storing usernames and passwords in a cookie is OK to do, I disagree with you. As a few members have already pointed out, storing sensitive information in a cookie is a bad idea as cookie information is stored plainly on a client machine. If the machine is not kept secure from intrusion then the data in the machine could in fact be compromised which could in fact compromise your server is they are granted access to it by way of a stored piece of sensitive information on the client.
When you ask which is better, sessions or cookies, what is your intended purpose when using either of these? The better of the two will depend on which suits the needs of your purpose best.
To those that are posting that storing usernames and passwords in a cookie is OK to do, I disagree with you. As a few members have already pointed out, storing sensitive information in a cookie is a bad idea as cookie information is stored plainly on a client machine. If the machine is not kept secure from intrusion then the data in the machine could in fact be compromised which could in fact compromise your server is they are granted access to it by way of a stored piece of sensitive information on the client.
This is terribly limiting in scope, for a password. That means that some who uses a password like Ke3P-m@_53CuR3 would get tossed by your regex for capital letters and special chars. Personally, I wouldn't use a system that requires a weak password. Just my opinion.kaisellgren wrote:allowed chars a-z,0-9 and _
Yes.kaisellgren wrote:punctuations like what? You mean - . ( / & etc?onion2k wrote:I always put punctuation in my passwords to make them harder for people to guess. Looks like your website will be broken for me then.kaisellgren wrote:means that I check first for allowed chars a-z,0-9 and _ then I chekcthat lenght is between 4 and 16. then lastly ill addslashes(). Clear now?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Oh god.Everah wrote:To the original poster:
When you ask which is better, sessions or cookies, what is your intended purpose when using either of these? The better of the two will depend on which suits the needs of your purpose best.
To those that are posting that storing usernames and passwords in a cookie is OK to do, I disagree with you. As a few members have already pointed out, storing sensitive information in a cookie is a bad idea as cookie information is stored plainly on a client machine. If the machine is not kept secure from intrusion then the data in the machine could in fact be compromised which could in fact compromise your server is they are granted access to it by way of a stored piece of sensitive information on the client.
This is terribly limiting in scope, for a password. That means that some who uses a password like Ke3P-m@_53CuR3 would get tossed by your regex for capital letters and special chars. Personally, I wouldn't use a system that requires a weak password. Just my opinion.kaisellgren wrote:allowed chars a-z,0-9 and _
Thanks for your help guys. But looks like your way of speaking is far different than mine. I just quickly threw what the PCRE would check. Of course I will put /i and list some usable characters. The PCRE was not the point. I can handle it myself fine. I just quickly wrote something to get you understand my point.
Btw, you are all the time talking about "mysql_real_escape_string()" so much. Is addslashes() enough? I prefer for it and your repetition made me a little bit wondering that if addslashes() is worse than mysql_real_escape_string()...
And to make my 'target' as clear as possible. I'll try to explain it now.
Okay. I'm writing a secure log in form for my membership system. I have registration form, forgotten password and validation that are excellent. I just need to write the hardest part - log in. I want, actually I must write it as secure as possible. I thought that just using sessions would NOT make it possible that user could be automatically get logged in like he could get if using cookies.
I need cookies to get automatic login or 'continuoys login' in other words. Just using sessions does not do this. So I need to know that what I should include in cookies? You made clear that not password, but what then? If cookies have only username stored, how can the automatic login work then if the script cannot get password from a cookie?
And another point about the sessions. When using sessions, is it better to use .php?PHPSESSID=sdfsdf than not to use?
Thanks for your help guys, you help me a lot
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Do not rely on addslashes(). Always use mysql_real_escape_string().kaisellgren wrote:Btw, you are all the time talking about "mysql_real_escape_string()" so much. Is addslashes() enough? I prefer for it and your repetition made me a little bit wondering that if addslashes() is worse than mysql_real_escape_string()...
Sessions can be tweaked to allow auto logins, but it would probably be easier to write your own session code. You will need three pieces of information to allow autologins: 1) userid (not username), request to be remembered and a validation credential of some sort (most folks use a hashed password for this). You can serialize() an array of data that stores all of these as array members, then set a cookie that uses that serialized value. However, I found something on the PHP Manual that stated serializing user data for session management was not a preferred method. Regardless of what route you take, I would recommend you do not store the users password on their machine.kaisellgren wrote:I thought that just using sessions would NOT make it possible that user could be automatically get logged in like he could get if using cookies.
This will be handled automatically by PHP. If PHP cannot find the session cookie, it will automatically append the session id by query string.kaisellgren wrote:And another point about the sessions. When using sessions, is it better to use .php?PHPSESSID=sdfsdf than not to use?