Cookies vs. what?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Cookies vs. what?

Post by JKM »

Since there is some lack of security using cookies, what should/could be used instead?
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: Cookies vs. what?

Post by jayshields »

Depends what you're using cookies for.
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Re: Cookies vs. what?

Post by JKM »

Just some simple login-required pages (with some minor access levels).
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: Cookies vs. what?

Post by jayshields »

Try sessions (with cookie use diasbled).
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Cookies vs. what?

Post by Benjamin »

:arrow: Moved to PHP - Security
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Re: Cookies vs. what?

Post by JKM »

Oh, thanks astions - forgot about that category.

jay: How should I use such as "remember me"/"log me in automaticly" with sessions?
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: Cookies vs. what?

Post by jayshields »

You can't do "remember me" functions properly without using cookies. You could rely on an IP address but they're not the best idea since they can be spoofed easily.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Cookies vs. what?

Post by kaisellgren »

Cookies were created so that we can achieve this "remember me" effect. If you just need a temporary session, you could store the session in the URI. If you need a "permanent" session, then you should just use cookies as that is the thing they were ultimately created for. In the future, we will have client-side database systems as proposed in HTML 5 draft, so, we will see what we can do with that.

Can I ask you what kind of lack of security cookies have or what are you trying to achieve? Usually security issues come from improper handling of tools/features rather than them lacking of security.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Cookies vs. what?

Post by VladSun »

There are 10 types of people in this world, those who understand binary and those who don't
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Re: Cookies vs. what?

Post by JKM »

Nice, thx mate!
Post Reply