PDA

View Full Version : Sessions vs cookies?



motormichael12
08-06-2008, 03:56 AM
What are the benefits of using sessions as to using just cookies and vice versa?

Nile
08-06-2008, 01:36 PM
Sessions:
These stay in contact with the browser, until you close the browser. They are useful at times when you want a user to sign into something. But when signs out deletes the cookie.
Cookie:
There stay in contact with the browser to the specific expiration date. Whether you make it in 5 minutes. Or in 5 years. It will stay unless the client clears there cookies.

blm126
08-06-2008, 05:07 PM
Sessions:
More secure than cookies. A session can last as long as the cookie that is set. Session data is stored on the server, so user's can't mess with internal data stored in a session. Sessions can store more information than cookies. Make sure that if you are storing sensitive information in Sessions, that you are logging the IP and making sure it doesn't change to prevent session hijacking.
Cookies:
Great for small amounts of data. Must be treated as insecure. May not be accepted by the browser.

motormichael12
08-06-2008, 05:53 PM
I am making a browser based game (like tribalwars or vilecity, just click to do actions) and only need cookies to tell who is logged in, as well as the hashed password in a cookie to prevent name editing.

Every time the page loads it will check for existence of the cookies, as well as check that the name and password match in the database. If not, they go to a login page. If so, they see the content.

Would cookies alone be enough for this?

Note that the password in the database is hashed, so when logging in it does this in order:
1. hash the input for the password field.
2. check if it matches the password (hashed on registration) for the user entered.
3. If it matches it would set the cookie as the hashed password, identified in step 1 but only made after step 2 comes back as true.
4. on each page load, do step 2 to make sure that it still matches, and if it does it will continue showing content.

blm126
08-06-2008, 06:03 PM
Yes, cookies would be enough. Though, be aware that this will require a call to the database that could be avoided with sessions(at the price of checking for session hijacking). As long as you don't implicitly trust cookie data, you will be fine.

motormichael12
08-06-2008, 06:07 PM
I remember going to a site that, while messing with cookies, I noticed it saved the username and password (password was directly entered, not hashed or anythign)

I got bored and changed the username to an admins username and went to the site, and I was suddenly on that admins account...

I guess it didn't check for a match :O

Thats why I wanted to know if it would be safe to use cookies for this.