Re: Sessions vs Cookies

From: Jerry Stuckle <jstucklex@xxxxxxxxxxxxx>
Date: Mon, 08 Dec 2008 07:35:11 -0500

Betikci Boris wrote:

On Dec 7, 2:15 pm, Bill H <b...@xxxxxxxxx> wrote:
I am working on a project that will eventually scale up to multiple
servers and want to be sure I choose the correct path for controlling
persistant information, for example a users ID. From what I have read,
using sessions could limit me to a single server, where as cookies
will allow me to have multiple servers as the persistant information
travels with the client instead of residing on the server. Am I wrong
in this assumption? Are there any best practices with dealing with
persistant information and multiple servers?

Bill H

You can securely use cookies, php session use cookies, so anybody can
easily fake default php session management. At least i tried it
locally & remotely and succeeded basicly created same cookie on a
different browser of a previously created session.
You can store anything in cookies by using php mcrypt extension's
cryptographic functions to encrypt data stored on cookies.
ex.userid's, other info, etc.

First of all, you can only do that if you have the session id available. That means you are either on the machine using the session, or somewhere between the client and server, and monitoring the traffic.

And even if you do fake the session id, you cannot change the data stored in the session from the client.

Sure, you can store things in cookies - if the browser has cookies enabled, anyway. If it doesn't, well, you have a problem.

Of course, there's also the added overhead of sending lots of data back and forth to the client, and the fact setcookie() must be called before any output is sent to the client. You have to call session_start() before sending output, but after that, you can set session data anywhere in the script.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.

References:
- Sessions vs Cookies
  - From: Bill H
- Re: Sessions vs Cookies
  - From: Betikci Boris

Prev by Date: Re: Solving undefined errors
Next by Date: Re: about mysqli_set_charset()
Previous by thread: Re: Sessions vs Cookies
Next by thread: stat() - issues
Index(es):
- Date
- Thread

Relevant Pages

Re: Fwd: [PHP] Re: a question on session ID and security
... I think the difference is that you send one key (a session identifier) ... secondary hash key stored in cookies. ... hash key" to the client when it doesn't need it? ... Use the authentication key to identify the users data, then get the "secondary hash key" from that data. ...
(php.general)
Re: Client-Side Session Data
... token on the client, but does it keep the session *data* on the ... How Not To Use Cookies ... Userdata belongs on the server, ... Session time out and cookies, ...
(comp.lang.php)
Re: Hiding variables passed via URL
... All that is needed t preserve states across a session is to have some ... Session cookies are much more secure, because you actually have to sniff ... on a file on the server the client is communicating with. ... It seems to me, Jerry, that Phil is making a point you are not catching. ...
(comp.lang.php)
Re: Hiding variables passed via URL
... All that is needed t preserve states across a session is to have some ... Session cookies are much more secure, because you actually have to sniff ... on a file on the server the client is communicating with. ... It seems to me, Jerry, that Phil is making a point you are not catching. ...
(comp.lang.php)
Re: Hiding variables passed via URL
... All that is needed t preserve states across a session is to have ... All PHP sessions are area wasy of pasing a unique ID using cookies, ... on a file on the server the client is communicating with. ... It seems to me, Jerry, that Phil is making a point you are not ...
(comp.lang.php)