get or session?

views:

104

answers:

+7 Q:

i have a login form, which is in login.php. after authorization i moove client to some.php file! so, from following two methods, which is better?

i can send information aboud user id e.t.c by GET
i can use SESSION - s for this

what is more preferred?

and two words about why i ask this question. i hear somewhere that SESSIONs aren't good programing method, and it's not suggested to use them in such situations...

thanks

+1 A:

There's nothing inherently bad about sessions. In fact, in this situation I would store the userid in the session rather than passing it around in the URL. It'll be much cleaner, and more professional, IMHO. Storing trivial information in the session is fine.

Jonathan Sampson 2010-05-19 14:18:08

+1 A:

$_SESSION might have its flaws, but using $_GET for this kind of thing is even worse.

Mathias Bynens 2010-05-19 14:18:09

+7 A:

Sessions are indeed the preferred solution. You can't trust data sent in the querystring ($_GET, $_POST, $_COOKIE etc) because all of those can be changed by the user, but you can trust the that noone has tampered with the $_SESSION data since $_SESSION is stored on the server.

Emil Vikström 2010-05-19 14:18:12

yes - the best way is to save the user id in your session, and if possible, save id hashed (aes) - but is not really important. Because if you save it in your session, the user cannot change it. and if he logs out. If you use $_GET, he can change "?id=1232" (e.g.) with "?id=1", and this maybe is an Administrator. Same in cookie and Post...

ahmet2106 2010-05-19 14:30:39

@ahmet2106: AES is an encryption scheme, not a hash function. For hashing, use SHA-512 or similar.

Felix Kling 2010-05-19 14:32:08

@Felix King, was my fault, i was meaning encryp :) Not hash^^ Yes for hash he can use sha or other...

ahmet2106 2010-05-19 14:43:01

+1 A:

If I understand the question right, then none. Use POST for this instead and then create SESSION upon logging in.

Let's say user comes to index.php where is login form. He fills in info and push "login". You send the data to login.php using POST. If the user name, password and whatever other information is correct, you create SESSION and redirect user somewhere else.

Ondrej Slinták 2010-05-19 14:18:16

I would use SESSION if you want to store some information, that is based on the authentication success. Data in GET, POST variables is too easy to manipulate.

Ladislav 2010-05-19 14:19:44

If you have to decide between $_SESSION and $_GET, then, for secure stuff, use $_SESSION. All the user can do with sessions is destroy them (by deleting the PHPSESSID cookie), but the user cannot manipulate them.

If you have to pass information once, $_SESSION is very good. You can store some data into the $_SESSION variable, change location via PHP (so the user cannot block the script by means of disabling JavaScript. Just use header('Location: '.$path);), use the $_SESSION content on the other page and the user does not have a time interval when he could destroy the session. This is safe.

arik-so 2010-05-19 14:33:48

No, it's not always safe. The user can refuse to follow the location header and don't do the second request, so you can't always trust that the user will do the second request after a location header (you can trust it if it's a legitimate user, but it's the illegitimate users we are trying to protect us from in the first place).

Emil Vikström 2010-05-19 14:39:22

The safest way would be to use SESSIONS because that would mean that only a token|identifier is stored on the client side, and all of the data represented by the token|identifier is stored on the server. Besides you can set expiry time for sessions too, that would make it more secure.

ovais.tariq 2010-05-19 19:39:09

ansaurus

tags:

views:

answers:

get or session?

related questions