Author Topic: $_Session vs $_Cookie  (Read 2555 times)

micah

  • A real person, on the Internet.
  • Ass Wipe
  • Posts: 6915
  • Karma: +58/-55
  • Truth cannot contradict truth.
    • micahj.com
$_Session vs $_Cookie
« on: June 12, 2006, 09:45:47 AM »
quick question (eventually),

My thoughts have always been that sessions are more secure then cookies because you don't want users hacking up the cookie data.  My rule of thumb is to never trust the users.

Of course, with session vars, anyone w/ access to the tmp dir where they are stored can view their contents.  Normally not a problem if you own the server, trust yourself and aren't holding sensitive data in your session variables.

but what if you trust the user more then the server admin/host when it comes to securing data?  In a shared host enviornement or w/ a third party administrator - the data can be accessed.  My thoughts were to encrypt all of the data and instead of hard coding the key into a script, let the user enter it at login (the key would be some sort of a salted hash version of a their password).  Then as they move from page to page, the key decrypts their data but the key itself is never actually saved on the server.

With this idea, obviously sessions wont work because those with server side access could read the session data... so my question, finally....

if you use cookies and send them SSL, is there anyway that anyone other then the client side user can view the cookie data?

Thanks!
"I possess a device, in my pocket, that is capable of accessing the entirety of information known to man.  I use it to look at pictures of cats and get in arguments with strangers."

ober

  • Ashton Shagger
  • Ass Wipe
  • Posts: 14305
  • Karma: +73/-790
  • mini-ober is taking over
    • Windy Hill Web Solutions
Re: $_Session vs $_Cookie
« Reply #1 on: June 12, 2006, 10:48:02 AM »
I don't use SSL with cookies, but I just thought I'd throw in my 2c on this.  There was a huge push to use sessions a while ago instead of cookies because it took cookies out of the equation since some people turn them off.  I've seen a recent trend that has been exactly opposite of that.  Sessions are now said to be less secure than cookies and people don't seem to be concerned with users turning cookies off.  And I think the stats would show that less people turn cookies off than turn off JavaScript.

Having said all that, if you don't trust your host or your shared server people, get a dedicated server or switch hosts.  I personally use a mix of cookies and sessions in most of my sites.