Difference between cookies and sessions

JimJamJammin

For the login system on my previous site, I used a 'cookie' system, where a cookie was set with the user's username whenever they logged on to remember them being logged in (obviously this cookie username was used to access a mySQL database).
For a new site I might be working on (I made a mockup home-page at http://www.tiffinmaths.co.uk/whichuni) I'm thinking of using 'sessions' instead.
Would someone kindly be able to tell me the advantages of using 'sessions' (which uses cookies) instead of my usual cookie system?
Security is an issue since fairly personal data is going to be stored, hence security needs to be quite tight in order to comply with the Data Protection Act.

Any advice would be greatly appreciated.

Jamie

tekky

cookies stored on local computer (Users)
can be spoofed.... can be disabled and deleted by user....

sessions stored on remote computer (www host)
cant really be spoofed unless you allow them to enter bad data into a variable used for these, and do not rely on any settings at the users end.... ie, cant be disabled

Jeb_

Originally posted by JimJamJammin
Would someone kindly be able to tell me the advantages of using 'sessions' (which uses cookies) instead of my usual cookie system?
Security is an issue since fairly personal data is going to be stored, hence security needs to be quite tight in order to comply with the Data Protection Act.

Sessions store their data on the server, and are not visible to the standard user. Implemented properly, they can be almost impossible to circumvent (unless you want to guess the session ID at random).

Sessions do store cookies, yes. However this cookie is only to pass the session ID along through the session. This can be disabled and you can force passing of the session ID through a URL, however. Beware that forcing the sessid through a url is not a good move for what you're doing. 🙂

I don't recommend using cookies to check if your visitor is valid. Stick to sessions only, and store your session data in a database using your own session handling functions.

Weedpacket

Originally posted by Jeb.
However this cookie is only to pass the session ID along through the session.

Furthermore, this session ID is randomly generated (it doesn't actually mean anything except to your server) and changes from session to session; the browser doesn't retain it once it's closed, and the server forgets it after a while as well.

seby

i store sessions in mysql and everytime a user visits it updates their last visits, location, ip, etc.. its a very secure way.

in the table i have the time and after xx minutes (when user is presumed to be logged out) the session hash is deleted automatically.

i let my users decide whether they want to use sessions or cookies, because sessions do have a downside, such as users behind proxies.

miles_rich

I used a sessions based login system, and found them very unreliable. Plus cookies are better because you dont have to write as much code for example they timeout after a given length of time on there own, so you do not have to write a cript to check if they are out of time. From experience, whilst sessions are very usefull, i would use cookies.

synergypoint

In either case (sessions vs. cookies), what really makes the system the most secure is how you validate and encrypt the login data.

Here is a link that explains how sessions can be exploited.

http://www.acros.si/papers/session_fixation.pdf

You need to use some sort of encryption like md5 or crypt in conjunction with either sessions or cookies.

I store an crypt hash value created from a combination of the users ip address and a unique code associated with the particular user that is retrieved from the user login. If you really want a secure login you should also use SSL.