1 Replies - 421 Views - Last Post: 29 November 2012 - 08:45 PM

#1 hwoarang69   User is offline

  • D.I.C Head

Reputation: -1
  • View blog
  • Posts: 171
  • Joined: 23-October 12

which should i use session or cookies

Posted 29 November 2012 - 08:04 PM

i now the differece between seesion and cookies. but i am not sure when one to use. when people make website like dreamincode, myspace, linkedin, etc.. wht they use.

right now on my site when user log in session get started but if user hit remember me than cookie get start. this is a good idea or bad idea? let me know

Is This A Good Question/Topic? 0
  • +

Replies To: which should i use session or cookies

#2 Atli   User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4240
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: which should i use session or cookies

Posted 29 November 2012 - 08:45 PM


Generally, you want to use session for login details. Keep in mind, though, that the session is maintained by passing the session ID via a cookie! (Well, 99.9% of the time.)

Creating a "remember me" feature can be tricky, because if you do it incorrectly, it can be a major security problem. For instance, if you simply save the user ID in the cookie and accept that as valid login credentials, pretty much anybody from anywhere can log in as any user. If you plan on saving the password as well, either in plain text or hashed, then forget about it. It's no more secure than using just the id/name, and it makes the user's password vulnerable to hacking. (You always want to handle passwords as little as humanly possible, even if they are encrypted or hashed!)

The best way I've seen to create such a feature is to always store the user login stuff in the session, but on each page request, generate a random(ish) security token, save it in the database, and then save it as a cookie. Then, if a request is coming from a user that doesn't have the login details in a session already, you match the security token in the cookie (if any) to any security codes in the database, and if they match you automatically log the user in. - This way the key is not static, so it can't be as easily intercepted and stolen (thought that can certainly happen; it's a constant concern with this type of feature), and you aren't saving any sensitive data in the cookies.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1