I didn't see this mentioned anywhere yet, if it is, I apologize for posting this.
I am curious if there is a difference in security in Sessions vs Cookies. Like If I want to build a login form, what is the best way to do it? Should I use Cookies or Sessions to retain the login credentials to keep someone logged in? Are these even the best ways to go about this?
Sessions vs Cookies
Moderator: General Moderators
cookies is tottaly client side thing, so you cannot rely on this at all.
1. security wise
2. if cookies disabled people will not be able to use your system
Sessions:
1. Best solution for keeping persistance data
2. Have to be careful on shared hosts. Usually keeping the session in DB is good security choice.
1. security wise
2. if cookies disabled people will not be able to use your system
Sessions:
1. Best solution for keeping persistance data
2. Have to be careful on shared hosts. Usually keeping the session in DB is good security choice.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
To prevent it use this code when initialize $_SESSION variablesmatthijs wrote:I know that. I only want to mention that session identifiers, whether in a cookie or in an URL, can be fixated and stolen as well. So you still have to be careful with how you build the system.
Code: Select all
$_SESSION['ip']=$_SERVER['REMOTE_ADDR'];
$_SESSION['xip']=@$_SERVER['HTTP_X_FORWARDED_FOR'];
$_SESSION['browser']=$_SERVER['HTTP_USER_AGENT'];Code: Select all
$check=Array( "ip" => "REMOTE_ADDR", "xip" => "HTTP_X_FORWARDED_FOR", "browser" => "HTTP_USER_AGENT");
if($_SESSION[$key]) {
foreach ($check as $key=>$value) {
if(@$_SERVER[$value]!=$_SESSION[$key]){
@session_destroy();
}
}