Posted by Jerry Stuckle on 11/18/67 11:43

Jon wrote:
> Is there any advantage to be gained from using the calls to a cookie then?
> I thought that setting a $_SESSION variable also saved a cookie anyways...
>
> "fiziwig" <fiziwig@yahoo.com> wrote in message
> news:1143560669.145997.260430@t31g2000cwb.googlegroups.com...
>
>>As I understand it, having the information in the cookie on the user's
>>system makes it possible for someone to create a counterfeit cookie and
>>spoof the system. Using the $_SESSION array keeps it on the server side
>>and is more secure.
>>
>>--gary
>>
>
>
>

Yes.

When you use sessions, the data remains on the server. Only the session id is
saved as a cookie. Also, if the user has cookies disabled, the session id can
be passed as a GET parameter.

Also, the session id is a long string of random characters - very hard to guess,
and is only valid during that session. Unlike a user id, which is shorter,
often times visible (i.e. in discussion boards, etc.) or at least easily
guessable, chances are the session id will not be guessed.

OTOH, if you store the userid as a cookie on my machine, I can get in and edit
it - changing the username to 'admin'. And if you use 'admin' as your logon to
your private administrative area, I now have access to all of your admin functions.

And you also need to remember that cookies are sent plain text (unless you're
using https: protocol). So anyone between you and your site can sniff out your
userid. Admittedly chances of this happening to the typical site are small -
but it is possible.

It always pays to keep sensitive stuff on the server!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]