Do i login using cookies or sessions in a login system? I've seen examples using sessions and cookies so i am confused! Can someone please explain this?
What do most sites use? love to know!
Thanks in advance;-)
+4
A:
Sessions - in most cases - use cookies to store their session id so its pretty much always a case that you are using both. Most sites will use sessions as cookies are inherently insecure as data is stored at the client side where as session data is stored on a server. It is largely a matter of security and what data you intend to store but since its so easy to modfify cookie data then you should never really trust anything within cookies.
seengee
2010-07-06 16:31:35
Dang, you posted 5sec before me. But yes, go with sessions.
ggfan
2010-07-06 16:33:55
How does this jive with the REST philosophy of keeping all session data on the client side (in your opinion)?
Zak
2010-07-06 19:35:27
+1
A:
Login with Sessions because they are safer than cookies in that user's don't have direct access to your cookies.
BUT, when you use sessions, you are also using cookies, so in fact you are using both...
ex:
//query to get username from database
$_SESSION['user_id']=___
$_SESSION['username']=____
DON'T store passwords or anything sensitive in sessions or cookies
ggfan
2010-07-06 16:32:47
"DON'T store passwords or anything sensitive in sessions or cookies" i thought session data was safe as it was on the web server right?
Imran
2010-07-06 16:35:04
They are not 100% safe and it's always good practice to never store passwords in sessions. There shouldn't be a time when you need to store passwords in sessions. But username should be fine. This is the rule I go with.
ggfan
2010-07-06 16:38:34
@lmran someone could change its session id in his cookie and then get access to that other session data on the server.
Iznogood
2010-07-06 16:45:31
A:
A session is your server or applications idea of a person. In default PHP, when you create a session, a cookie is sent to the browser for storage. Every time the browser makes a request, it will send the cookie along and the server will lookup the information it has associated with that cookie. Sessions are good for storing user settings or server information because the user only ever sees the session key.
With cookies you can set a preference independent of the user or session at your site. Like the style of the page or whether this is a shared browser. This information will be sent with requests from that browser, so can be accessible from server scripts. The bonus with cookies is that javascript can use their values for processing without backend support (for static pages), and that the user can change them themselves.
Good advice above should be followed: put nothing in cookies you wouldn't want anyone to see.
Not only can the user see them, anyone with access to the users computer or the network connection between you and the user can see them.
amccausl
2010-07-06 16:43:59
A:
It is a bit of a minimalistic answer but here goes: - If your login system has a "remember me" feature, it very likely uses cookies but not sessions - If not, it uses cookies and sessions (because sessions use cookies as per said in above posts) Hope it helps
Zaziffic
2010-07-08 13:13:54