Log in

View Full Version : Sessions and Cookies...


lolwut
29-01-2008, 06:45 PM
Right, well, yeah...
Basically some people are all like "Sessions are the sex. Don't use cookies they're <insertafairlyrudewordhere>".
What I'm wondering is... What's the actual difference?

Because I really don't know and some people are like... Well yeah, what I said above, and some people are like "I prefer cookies."
So explain this to me if you can, I really don't get it.
Invent
29-01-2008, 06:53 PM
Sessions are stored server-side really and cookies are client-side.

So basically, cookies can be modified which scares some developers.
MrCraig
29-01-2008, 07:05 PM
Can you not protect cookies from being edited in any way?

As vBulletin must use cookies and it isnt exactly insecure.
Invent
29-01-2008, 08:15 PM
Cookies are perfectly secure if you use them properly.

Some people set a cookie with someone's username/password/etc but when they check if the user is logged in or for SQL Queries (which contain the user's account name) in the script they only use the username in the cookie. So if you modified your username cookie you could get other peoples information or go in their account.

Obviously you can stop people from doing the above by making your script secure. But some people dont (E.G Naresh & his user system).
Agnostic Bear
30-01-2008, 04:10 AM
Cookies are perfectly secure if you use them properly.

Some people set a cookie with someone's username/password/etc but when they check if the user is logged in or for SQL Queries (which contain the user's account name) in the script they only use the username in the cookie. So if you modified your username cookie you could get other peoples information or go in their account.

Obviously you can stop people from doing the above by making your script secure. But some people dont (E.G Naresh & his user system).

Yeah but Naresh doesn't even add anti spam to his coding so there's about as much use trusting his coding as there is trusting a bum with your credit card and pin.


Also you can stop it (like vbulletin does) by storing a secured password hash in your cookie, when your script looks at the username, grabs your already encrypted password, then encrypts it again (to get the even more secure one for the cookie) and if they're not the same then you can just kick them out.

Want to hide these adverts? Register an account for free!