Sessions or Cookies for login system?

Asked

Viewed 1,431 times

1

I am doing a PHP login system and would like to know which option is safer: Cookies or Sessions. I know that many developers don’t like to use cookies because they can be removed by users. But my question is on security, which is safer?

php web-application
  • 1

    Sessions are cookie-based. If you start a Session it automatically creates a cookie with a name PHPSESSID. Create a session and run in 2 browsers and change the value of PHPSESSID from one to the other and see the result.

  • 1

    What @Papacharlie said is totally correct. The problem is also not using explicit cookies or sessoes, but the way you use them. There is no problem in using a cookie that has a public name but in its value is a key/token that only you know how it works and if it is a legitimate key created by your system for example to validate a user. As Papacharlie said, when you open a session a cookie is created.

1 answer

2


Still, use sessions, cookies can also be removed by users, can be read by some malware that the user has on the PC. The only correct way to use cookies is only to save the session ID to retrieve the user’s session, and even then the session ID must be encrypted somehow.

  • Session creates a cookie PHPSESSID, just remove it to lose the Session.

  • Yes, but see, this cookie does exactly what I said, it just stores the session ID, but no user data. And if the user chooses to delete the cookie and lose the session, it was his choice.

  • I create Session start and place this call on every page that needs to be protected. I make the query in the bank...my biggest fear is that some user can access the page without being logged in. Thank you very much.

  • @Augusto, if you do not set a cookie duration, it will automatically be deleted as soon as the browser is closed and the session is closed. Similarly if a session is opened and the browser closed. What you have to worry about is: which of the two is better for my system? There are users who block cookies in browsers. When in doubt you use SESSION and were. = ) but both are safe. Because both are the "same thing". You will have to avoid Force. sql inject.. etc...

  • Thank you for the help, it was very helpful to me. How much SQL INJECT I must later ask things about security. Thank you very much.

Browser other questions tagged php web-application

You are not signed in. Login or sign up in order to post.