Sessions or other method

Forum Moderators: coopster

Message Too Old, No Replies

Sessions or other method

supermanjnk

2:38 am on Sep 2, 2004 (gmt 0)

I have a login script that I wrote, Currently it takes the username/password you enter, and validates against a mysql database and If it's valid it shows you the content and creates a cookie thats valid for 24 hours or so. if you go to the site while you have that cookie you get the content that you would get while logged in, what I'm wondering is would it be easier/more secure/faster to use sessions?

RonPK

3:38 pm on Sep 2, 2004 (gmt 0)

Cookies are very handy because the user won't have to log in every time he visits your site. That can't be done with sessions, as sessions usually expire after a few hours.

If the cookie only says 'verified less then 24 hrs ago', it wouldn't be very secure. Remember that a cookie is simply a text file and thus very easy to create and copy.

A widely used method is this:
1. let the user log in.
2. if username and password match the database: send a cookie with username and password. Expiration date somewhere in the far future.
3. start a session
4. with every request for a page, verify $_SESSION['username'] and $_SESSION['password'] against the database

To optimize things, you could store the password encrypted, both in the database and in the cookie. If the user wants to modify account settings, ask [him¦her] to enter the password, preferably on a secure https-page. That way you'll be sure that account settings (like the password) can't be changed with hijacked cookies or with a password stolen during an illegal peek in the database.