Everah wrote:To the original poster:
When you ask which is better, sessions or cookies, what is your intended purpose when using either of these? The better of the two will depend on which suits the needs of your purpose best.
To those that are posting that storing usernames and passwords in a cookie is OK to do, I disagree with you. As a few members have already pointed out, storing sensitive information in a cookie is a bad idea as cookie information is stored plainly on a client machine. If the machine is not kept secure from intrusion then the data in the machine could in fact be compromised which could in fact compromise your server is they are granted access to it by way of a stored piece of sensitive information on the client.
kaisellgren wrote:allowed chars a-z,0-9 and _
This is terribly limiting in scope, for a password. That means that some who uses a password like
Ke3P-m@_53CuR3 would get tossed by your regex for capital letters and special chars. Personally, I wouldn't use a system that requires a weak password. Just my opinion.
Oh god.
Thanks for your help guys. But looks like your way of speaking is far different than mine. I just quickly threw what the PCRE would check. Of course I will put /i and list some usable characters. The PCRE was not the point. I can handle it myself fine. I just quickly wrote something to get you understand my point.
Btw, you are all the time talking about "mysql_real_escape_string()" so much. Is addslashes() enough? I prefer for it and your repetition made me a little bit wondering that if addslashes() is worse than mysql_real_escape_string()...
And to make my 'target' as clear as possible. I'll try to explain it now.
Okay. I'm writing a secure log in form for my membership system. I have registration form, forgotten password and validation that are excellent. I just need to write the hardest part - log in. I want, actually I must write it as secure as possible. I thought that just using sessions would NOT make it possible that user could be automatically get logged in like he could get if using cookies.
I need cookies to get automatic login or 'continuoys login' in other words. Just using sessions does not do this. So I need to know that what I should include in cookies? You made clear that not password, but what then? If cookies have only username stored, how can the automatic login work then if the script cannot get password from a cookie?
And another point about the sessions. When using sessions, is it better to use .php?PHPSESSID=sdfsdf than not to use?
Thanks for your help guys, you help me a lot
