ansaurus

Question

Is storing a session id in a cookie a better practice than a get var?

Answer 1

+4 A:

Storing it in a cookie as opposed to in a GET var has at least one advantage, in that the session ID'd URL will never be bookmarked by any user.

karim79 2010-10-25 14:04:07

Right, or copy/pasted.

Tim Lytle 2010-10-25 14:05:04

Answer 2

+3 A:

Cookies are the better way to go.

The downsides of having the session ID in the GET variable are

URLs look more ugly
it screws up links and bookmarking (although this is more a cosmetic problem, as an expired session will simply be deleted and a new one created)
it can be slightly less secure (when people share links containing the session ID, and inadvertently have their session "hijacked").

Search engines, however, will remove the session ID from indexed URLs, as long as they are named after a standard scheme (PHPSESSID, SID...) so this is not a problem.

The usual way to go here (and I think, PHP's default behaviour) is to use Cookies when possible, and to fall back to GET variables if they are disabled.

As to how to make GET variables "better" - one way to make URLs containing them a bit more pretty is to use URL rewriting, so you can have e.g.

example.com/category/page/1234567890

123456890 being the session ID.

However, note that this will lead to search engines being unable to strip out the session ID, because they have no way of telling it is one.

The security issue that a session ID could inadvertently be copy+pasted to a new user can be controlled through low session timeouts, and anti-"session hijacking" measures as shown e.g. in this question. However, the accepted answer suggests using session.use_only_cookies .....

Pekka 2010-10-25 14:05:42

Rewriting the URLs to get "goodlooikng" session ids is probably a bad idea for a number of reasons, for example: Search engines are not able to strip it; the user doesn't know it's a session id; the URl structure becomes strange when the session id is a folder/file. Otherwise, +1 as always on your answers :-)

Emil Vikström 2010-10-25 14:18:48

@Emil cheers. You're totally right about the search engine aspect, I'll add this in.

Pekka 2010-10-25 14:22:31

Answer 3

+1 A:

Storing it in a cookie prevents it from being accidentally bookmarked or given to someone in a link.

Having said that, PHP manages its session cookies on its own, so it's not something you need to manually do. PHP 5.3.0 and later releases use only cookies by default (session.use_only_cookies 1). Prior to this, it would try cookies first by default and fall back to get variables if that failed (session.use_cookies 1).

Edit: Although PHP manages its own session cookies, you can modify the session cookie's parameters before calling session_start().

R. Bemrose 2010-10-25 14:06:10

Answer 4

+1 A:

I can think of more reasons to use a cookie

Pros for not using cookie

Cookie can be disabled and site will still work

Pros to using a cookie

More secure
Search engines don't index it
People can't copy and paste it to friends
People can't book mark it
You can easily expire it using cookie expire time

Amir Raminfar 2010-10-25 14:08:13

Answer 5

+1 A:

Despite using cookies seems more secure and convenient, you can, and probably should, enhance native session mechanism.

PHP provides a convenient way, but if you are aiming for more security than convenience, you would like to change some stuff on session hadling.

Read Chris Shiflett articles about PHP sessions to get a better understanding.

Dave 2010-10-25 14:10:46

ansaurus

tags:

views:

answers:

Is storing a session id in a cookie a better practice than a get var?

related questions