--- Ed Lazor <[EMAIL PROTECTED]> wrote:
> I'm using PHP sessions for user tracking. My host provider's server is
> dropping session data. He swears it's my scripts and says I should be
> using cookies for better security. That goes completely opposite to my
> understanding, so I'd like to run it by you guys. Which is more secure:
> PHP sessions or cookies?
First, I'd like to point out that sessions and cookies aren't opposite
ideas at all. In fact, PHP's default session mechanism uses cookies for
the session identifier (PHPSESSID).
The way I interpret your question is to ask whether it's better to store
session data on the server (in $_SERVER) or on the client (in cookies).
When stored on the client, you rely on the client to send all session data
to the server for every single request. These requests are sent across the
Internet. The Internet is a public network. Hopefully this makes it clear
that storing data on the server is more secure than having it sent across
a public network for every single HTTP transaction (multiple transactions
are typically required to render a single Web page).
I think your instinct ("That goes completely opposite to my
understanding") serves you well. :-)
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming Fall 2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
