Sessions vs Cookies

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
smdepot
Forum Newbie
Posts: 1
Joined: Tue Apr 24, 2007 1:00 pm

Sessions vs Cookies

Post by smdepot »

I didn't see this mentioned anywhere yet, if it is, I apologize for posting this.

I am curious if there is a difference in security in Sessions vs Cookies. Like If I want to build a login form, what is the best way to do it? Should I use Cookies or Sessions to retain the login credentials to keep someone logged in? Are these even the best ways to go about this?
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

cookies is tottaly client side thing, so you cannot rely on this at all.
1. security wise
2. if cookies disabled people will not be able to use your system


Sessions:
1. Best solution for keeping persistance data
2. Have to be careful on shared hosts. Usually keeping the session in DB is good security choice.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

But sessions use cookies as well. How else are you going to attach the "session" to a user? that cookie with the session identifier can be fixed, stolen, etc as well...
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

matthijs wrote:But sessions use cookies as well. How else are you going to attach the "session" to a user? that cookie with the session identifier can be fixed, stolen, etc as well...
The session ID can be passed through the url if cookies are disabled.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

I know that. I only want to mention that session identifiers, whether in a cookie or in an URL, can be fixated and stolen as well. So you still have to be careful with how you build the system.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

And that's why we have the ability to generate new session ID's on demand.
tpoxa
Forum Newbie
Posts: 1
Joined: Mon Jun 25, 2007 2:30 am
Location: Kharkiv, Ukraine
Contact:

Post by tpoxa »

matthijs wrote:I know that. I only want to mention that session identifiers, whether in a cookie or in an URL, can be fixated and stolen as well. So you still have to be careful with how you build the system.
To prevent it use this code when initialize $_SESSION variables

Code: Select all

$_SESSION['ip']=$_SERVER['REMOTE_ADDR']; 
$_SESSION['xip']=@$_SERVER['HTTP_X_FORWARDED_FOR']; 
$_SESSION['browser']=$_SERVER['HTTP_USER_AGENT'];
then on each page check that :

Code: Select all

$check=Array( "ip" => "REMOTE_ADDR", "xip" => "HTTP_X_FORWARDED_FOR", "browser" => "HTTP_USER_AGENT"); 

if($_SESSION[$key]) {
foreach ($check as $key=>$value) {
if(@$_SERVER[$value]!=$_SESSION[$key]){
@session_destroy();
}
}
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The requesting IP address can change legitimately during a user's session. Do not rely on it.
Post Reply