Posted by Justin Koivisto on 12/29/05 16:32

Oli Filth wrote:
> jody.florian@gmail.com said the following on 29/12/2005 00:44:
>
>> http://uk2.php.net/setcookie
>> suggests that for security, implode (correction of explode) should be
>> used instead of serialize. Does anyone know why?
>
> Dunno, but if you have enough data stored in a cookie for
> implode()/serialize() etc. to be necessary, then you're probably better
> off storing it all server-side, either in a DB or a file, and storing
> just a UID in the cookie (like how sessions work).
>
> Storing whole objects/data structures client-side is just asking for
> trouble.

Agreed. There may be times where storing a bit of data in a cookie is
quite tempting, but you should keep as much of the data on the server
rather than on a user's computer. Rule #1 in programming: Never trust
the user.

--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com

• Next in forum: Re: Cookie Security - Array Values: Implode or Serialize?
• Prev in forum: Re: Cookie Security - Array Values: Implode or Serialize?
• Thread view: Re: Cookie Security - Array Values: Implode or Serialize?

[Reply to this message]