Sessions and Cookies...

lolwut · 29-01-2008, 06:45 PM

Right, well, yeah...
Basically some people are all like "Sessions are the sex. Don't use cookies they're <insertafairlyrudewordhere>".
What I'm wondering is... What's the actual difference?

Because I really don't know and some people are like... Well yeah, what I said above, and some people are like "I prefer cookies."
So explain this to me if you can, I really don't get it.

Invent · 29-01-2008, 06:53 PM

Sessions are stored server-side really and cookies are client-side.

So basically, cookies can be modified which scares some developers.

MrCraig · 29-01-2008, 07:05 PM

Can you not protect cookies from being edited in any way?

As vBulletin must use cookies and it isnt exactly insecure.

Invent · 29-01-2008, 08:15 PM

Cookies are perfectly secure if you use them properly.

Some people set a cookie with someone's username/password/etc but when they check if the user is logged in or for SQL Queries (which contain the user's account name) in the script they only use the username in the cookie. So if you modified your username cookie you could get other peoples information or go in their account.

Obviously you can stop people from doing the above by making your script secure. But some people dont (E.G Naresh & his user system).

Agnostic Bear · 30-01-2008, 04:10 AM

Originally Posted by Invent

Cookies are perfectly secure if you use them properly.

Some people set a cookie with someone's username/password/etc but when they check if the user is logged in or for SQL Queries (which contain the user's account name) in the script they only use the username in the cookie. So if you modified your username cookie you could get other peoples information or go in their account.

Obviously you can stop people from doing the above by making your script secure. But some people dont (E.G Naresh & his user system).

Yeah but Naresh doesn't even add anti spam to his coding so there's about as much use trusting his coding as there is trusting a bum with your credit card and pin.

Also you can stop it (like vbulletin does) by storing a secured password hash in your cookie, when your script looks at the username, grabs your already encrypted password, then encrypts it again (to get the even more secure one for the cookie) and if they're not the same then you can just kick them out.

Thread: Sessions and Cookies...

Thread Tools

Sessions and Cookies...

Posting Permissions