Sessions or cookies?

webpoet

I´m going to build a private community site where users have to log in to get basic access. Further than that there will also be differet userlevels with different rights.

My first basic question is: What is more secure, to use my custom cookies or sessions ?

Second: How much can cookies/sessions be trusted ? Can I for instance save the users level in a session instead of looking it up in the database for each page he visits ?

Thanks in advance.

trooper

Hmmm Cookies 😃

I'd go for sessions as they are stored on the server and no-one (bar the server admin) can get to them

Also remember that people turn off cookie acceptance and so you can't guarentee that cookies will work

HTH

statrat

I'd go for sessions as they are stored on the server and no-one (bar the server admin) can get to them

not true. sessions can be (sometimes) hijacked, sometimes easily, and other users on shared servers, or on proxies, can in some cases access your session data, depending on where it's stored, security, etc.
they also can appear in urls in search engines, email, etc.

trooper

Well pointed out statrat -

What i meant to say was the inherently sessions are not as easy to bypass / modify as cookie.

Yes starat is right there are still issues with them but if the user cannot actually get to the file that contains the session data then that is more secure than having a cookie on the clients machine.

Back to the reading material for me 😕

stolzyboy

yes statrat, you are correct, sessions can be found, however if you code it wisely, i mean destroying sessions when they are not needed anymore, and checking to make sure a session is still alive, and timing out sessions, you will find that sessions are much more secure and easy to use than cookies, and yes, you aren't always assured that users will have cookies enabled on their machines

trooper

I knew someone would get my meaning

:rolleyes: