Page 1 of 1

questions about page security with session or else???

Posted: Mon Jan 30, 2006 1:58 am
by PHPycho
I am making a feasibility study in Security of pages(for login script etc.)using session or Cookies
I wanna know which one is secure and why
1> storing the values in session and checking it in the secured pages
2> storing the session ID in cookies by encrptying (may be double encryption)it and chekcing by decrypting it in the secured pages
3> storing the session in Database and checking in secured pages
.....................................................................................................................
Can anybody tell me more about the three topics ....which one to use and why..
I will be very greatful if got solved my problem..
anyway thanks in advance

Posted: Mon Jan 30, 2006 9:50 am
by shiflett
Before anyone can reasonably answer your questions, I think you might want to do a bit more research, so that you understand how sessions work.

1. The phrase "sessions or cookies" doesn't make sense, because these are not mutually exclusive. What do you mean by this?

2. All three items in your list cover different topics, so they're not easily compared. In the first, you're describing a pretty generic solution - store "values" in a session and check "it" on secure pages. The second item describes another topic, the session identifier. The third item describes yet another topic, the location of the session data store.

I'm not sure if this will help, but I wrote an article that first tries to describe how sessions work before explaining some of the security concerns:

http://shiflett.org/articles/the-truth-about-sessions

Hope that helps.

Posted: Tue Jan 31, 2006 1:40 am
by PHPycho
Sorry i am confused a little bit...
anyway thanks for the mistake...
I want to what is the best way to secure a page...using session in DB or session with cookies or else......

Posted: Tue Jan 31, 2006 3:35 am
by jayshields
PHPycho: read his article; it's very good, I certainly learnt a couple of things from it.

By the way, is your username supposed to read PHPsycho?