In security matters:
Session wins because cookies are text files saved on the client computer, so they can be manipulated.
However, to avoid manipulations of Session, you must specify some settings if security (for more information read the PHP page about Sessions and security, that will help prevent Session Hijacking and Session Fixation:
ini_set('session.gc_maxlifetime', ($timeout * 60)); // tempo máximo da seção em segundos
ini_set('session.use_strict_mode', true); // aceitar apenas sessões criadas pelo módulo session
ini_set('session.use_cookies', true); // usar junto com use_only_cookies
ini_set('session.use_only_cookies', true); // cookies gerados apenas pelo proprio usuário
ini_set('session.cookie_httponly', true); // cookies só acessíveis por HTTP (não JS)
ini_set('session.cookie_secure', true); // cookies só acessíveis por HTTPS
ini_set('session.hash_function', 'sha512'); // criptografa session: dificulta Session Hijacking
ini_set('session.use_trans_sid', false); // suporte a SID transparente desabilitado
ini_set('session.referer_check', 'https://www.seusite.com.br'); // checa o referer
ini_set('session.cache_limiter', 'nocache'); // não fazer cache
session_regenerate_id(); // renova ID da seção
session_start(); // IMPORTANTE: ao final dos comandos acima
Ideally, for security reasons, use HTTPS for everything, but if you do not have HTTPS available on your php server, you will have to set:
ini_set('session.cookie_secure', false);
Which uses the least server resources: Cookies, can be manipulated only by the client’s computer through Javascript.
What’s the fastest: Cookies, as they do not need to make requests to the server.
Final considerations: Use SESSION to store confidential data and COOKIES for other data.
NOTE: The Storage feature for JAVASCRIPT is now available, better and faster than cookies.
sessionStorage = data is CLEAN when the browser is closed
localStorage = data are stored indefinitely
Use:
sessionStorage.setItem('variavel_temporaria', 'valor da variavel'); // seta valor
var conteudo = sessionStorage.getItem('variavel_temporaria'); // lê valor
localStorage.setItem('variavel_tempo_indeterminado', 'valor da variavel2'); // seta valor
var conteudo2 = localStorage.getItem('variavel_tempo_indeterminado'); // lê valor
I hope I’ve helped!
Thanks for the reply, cleared enough, but in relation to the Siession Hijacking and fixation the vestments you passed would already solve that?
– Thiago
Yes, and to increase the security level, I added: referer_check, Session.cache_limit, use_strict_mode, hash_function.
– Allan Andrade
Opa, thanks again, these parameters of init_set and session_regenerate_id should be set at the beginning of the application? or only the regenerate_id that has to be set when the session is created? for example, when the login is successful
– Thiago
At the beginning of the application.
– Allan Andrade
Ok, last question, for example, the application would be active then still with Sesssions, saving the most sensitive information like email, password and etc, and cookies less important information, in relation to server consumption by Sesssions in a large application, would not give any problem or depends on the server? had also heard about tokens, with these settings it is still necessary to use?
– Thiago
Tokens would replace cookies for less sensitive (nonconfidential) information. As for Sessions, it depends on the number of Sessions VS simultaneous users resources and server configuration.
– Allan Andrade
I understand, so in case it would be better to open another discussion about server resources x Sessions, Thank you!
– Thiago
That mistake came back to me: A Session is active. You cannot change the Session module’s ini Settings at this time on line 18. Line 18: ini_set('Session.use_trans_sid', false);
– Thiago
I put the session_start after all, it seems that solved, but it should be before or after the regenerate_id?
– Thiago
You have to call session_start(); after these commands, not before.
– Allan Andrade