questions about page security with session or else???

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
PHPycho
Forum Contributor
Posts: 336
Joined: Fri Jan 06, 2006 12:37 pm

questions about page security with session or else???

Post by PHPycho »

I am making a feasibility study in Security of pages(for login script etc.)using session or Cookies
I wanna know which one is secure and why
1> storing the values in session and checking it in the secured pages
2> storing the session ID in cookies by encrptying (may be double encryption)it and chekcing by decrypting it in the secured pages
3> storing the session in Database and checking in secured pages
.....................................................................................................................
Can anybody tell me more about the three topics ....which one to use and why..
I will be very greatful if got solved my problem..
anyway thanks in advance
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

Before anyone can reasonably answer your questions, I think you might want to do a bit more research, so that you understand how sessions work.

1. The phrase "sessions or cookies" doesn't make sense, because these are not mutually exclusive. What do you mean by this?

2. All three items in your list cover different topics, so they're not easily compared. In the first, you're describing a pretty generic solution - store "values" in a session and check "it" on secure pages. The second item describes another topic, the session identifier. The third item describes yet another topic, the location of the session data store.

I'm not sure if this will help, but I wrote an article that first tries to describe how sessions work before explaining some of the security concerns:

http://shiflett.org/articles/the-truth-about-sessions

Hope that helps.
User avatar
PHPycho
Forum Contributor
Posts: 336
Joined: Fri Jan 06, 2006 12:37 pm

Post by PHPycho »

Sorry i am confused a little bit...
anyway thanks for the mistake...
I want to what is the best way to secure a page...using session in DB or session with cookies or else......
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

PHPycho: read his article; it's very good, I certainly learnt a couple of things from it.

By the way, is your username supposed to read PHPsycho?
Post Reply