quick question (eventually),
My thoughts have always been that sessions are more secure then cookies because you don't want users hacking up the cookie data. My rule of thumb is to never trust the users.
Of course, with session vars, anyone w/ access to the tmp dir where they are stored can view their contents. Normally not a problem if you own the server, trust yourself and aren't holding sensitive data in your session variables.
but what if you trust the user more then the server admin/host when it comes to securing data? In a shared host enviornement or w/ a third party administrator - the data can be accessed. My thoughts were to encrypt all of the data and instead of hard coding the key into a script, let the user enter it at login (the key would be some sort of a salted hash version of a their password). Then as they move from page to page, the key decrypts their data but the key itself is never actually saved on the server.
With this idea, obviously sessions wont work because those with server side access could read the session data... so my question, finally....
if you use cookies and send them SSL, is there anyway that anyone other then the client side user can view the cookie data?
Thanks!