I have a user object which contains information about the user (username, ip, country, name, email... but NOT password). Should I store just the username in the cookie and then retrieve all info from DB upon loading the page, or just store the entire User object in the cookie?
+12
A:
You can't trust any information stored in a cookie, as the user can manipulate it at his/her leisure.
I suggest using a PHP session to store the object. That way, the end user only has a session ID stored in a cookie, with the real data on your server.
The session will eventually time out, though... forcing the user to log in again.
Edit: Whoops, I should point out that sessions are really easy to use. Just do the following:
session_start(); // This MUST be on every page that accesses the session
// Store something in the session with the key 'something'
$_SESSION['something'] = "Hi, I'm a session!";
// Retrieve 'something' from the session
$myString = $_SESSION['something'];
R. Bemrose
2009-11-23 14:47:46
+1 for 'you can't trust data in cookies.' To expand on R. Bemrose's point- cookies should contain a pointer to data in your system, nothing more. This way, by itself, the cookie data is meaningless.
Dave Swersky
2009-11-23 14:52:04
Also, passing around huge amounts of data in a cookie may have a adverse affect on page loading times as the cookie is passed with every request.
Yacoby
2009-11-23 16:11:34
Or, it could have a positive effect on page loading times, as it allows you to eliminate a database round-trip. You'll only know by measuring. :)
Thom
2009-11-23 20:43:46
@Thom: Assuming you're responding to Yacoby; You'd save a database round-trip at the expense of sending the cookie with each and every request to your server. A session neatly eliminates both of these problems.
R. Bemrose
2009-11-23 21:52:21
@R.Bemrose: and that comes at the cost of hitting your session store each request - I suspect in PHP's default setup that means reading and writing a file, so you've got additional disk IO to worry about. All I'm saying is storing stuff in a cookie is a valid thing to do if it floats your boat, and any decisions you make about performance should be based on things you've measured and not assumptions you've made. :)
Thom
2009-11-24 14:22:52
PHP defaults to the files session handler by default. This is because the default PHP compile doesn't include the mm shared memory library, needed for the in-memory session handler (which is just called "mm").
R. Bemrose
2009-11-24 15:26:39
A:
For that case, I'd say store the user-id in the cookie and that's it. Then, upon first load of the page you load everything you need from the database and go on using a session as long as the user stays on your page.
To test if the page is loaded the first time, I just set a bool in the session if it has been loaded. If the bool doesn't exist, your user loads it initially.
There are probably better ways of doing this, but it works nice and easy. :)
ApoY2k
2009-11-23 14:52:17
A:
The standard rule of 'never trust posted data' applies to cookies too. I suggest storing just the user ID as well as a hash of the ID and some secret known only to the server.
JeffreyABecker
2009-11-23 14:52:25
A:
Only store a session id! Never meaningful data such as user id. Imagine that you have a site with 10,000 users. Chances are that you have at least one user called superman and batman - if yous tore a username in a cookie to access your session information - it is potentially feasible for me to manipulate that cookie to change stored info from my username to batman and gain access to batman's account if his session is still alive. If you store some sort of randomly generated session id - it's pretty much impossible for me to figure out a session number that would work for another user to hijack that session.
Nick Gorbikoff
2009-11-23 15:05:09
A:
You can trust information in the cookie if you use something like Hmac. Users could still see the data, but you would know if they had tampered with it (for example, changing their username to someone's else's in an attempt to see another user's data). If you don't want them to see the data, you could also symettrically encrypt the data you're sending. Obviously there's a CPU overhead to all of this, and a bandwidth overhead the more stuff you cram in there, but it's entirely legitimate to do what you're asking.
Thom
2009-11-23 15:14:04