Page 1 of 1
Sessions vs Cookies
Posted: Tue Apr 24, 2007 1:12 pm
by smdepot
I didn't see this mentioned anywhere yet, if it is, I apologize for posting this.
I am curious if there is a difference in security in Sessions vs Cookies. Like If I want to build a login form, what is the best way to do it? Should I use Cookies or Sessions to retain the login credentials to keep someone logged in? Are these even the best ways to go about this?
Posted: Tue Apr 24, 2007 1:20 pm
by jmut
cookies is tottaly client side thing, so you cannot rely on this at all.
1. security wise
2. if cookies disabled people will not be able to use your system
Sessions:
1. Best solution for keeping persistance data
2. Have to be careful on shared hosts. Usually keeping the session in DB is good security choice.
Posted: Tue Apr 24, 2007 2:34 pm
by matthijs
But sessions use cookies as well. How else are you going to attach the "session" to a user? that cookie with the session identifier can be fixed, stolen, etc as well...
Posted: Tue Apr 24, 2007 2:36 pm
by John Cartwright
matthijs wrote:But sessions use cookies as well. How else are you going to attach the "session" to a user? that cookie with the session identifier can be fixed, stolen, etc as well...
The session ID can be passed through the url if cookies are disabled.
Posted: Tue Apr 24, 2007 2:45 pm
by matthijs
I know that. I only want to mention that session identifiers, whether in a cookie or in an URL, can be fixated and stolen as well. So you still have to be careful with how you build the system.
Posted: Tue Apr 24, 2007 3:06 pm
by feyd
And that's why we have the ability to generate new session ID's on demand.
Posted: Wed Jun 27, 2007 6:08 am
by tpoxa
matthijs wrote:I know that. I only want to mention that session identifiers, whether in a cookie or in an URL, can be fixated and stolen as well. So you still have to be careful with how you build the system.
To prevent it use this code when initialize $_SESSION variables
Code: Select all
$_SESSION['ip']=$_SERVER['REMOTE_ADDR'];
$_SESSION['xip']=@$_SERVER['HTTP_X_FORWARDED_FOR'];
$_SESSION['browser']=$_SERVER['HTTP_USER_AGENT'];
then on each page check that :
Code: Select all
$check=Array( "ip" => "REMOTE_ADDR", "xip" => "HTTP_X_FORWARDED_FOR", "browser" => "HTTP_USER_AGENT");
if($_SESSION[$key]) {
foreach ($check as $key=>$value) {
if(@$_SERVER[$value]!=$_SESSION[$key]){
@session_destroy();
}
}
Posted: Wed Jun 27, 2007 6:11 am
by feyd
The requesting IP address can change legitimately during a user's session. Do not rely on it.