Paul M Foster wrote:
This is in two parts. First cookies. I'm a little unclear on how they
work. From what I've read, cookies are stored by the browser. When a
request for that cookie comes in from the server, the browser returns
only the value, and no other data. One question: When the browser
requests a page from a server, does it automatically search its cookies
for that domain and send them along with the other requests? If that's
now how it works, then how does it work?
The browser sends all cookie information as part of the request.
You can see this by creating a dummy page that does not call
seesion_start() that includes an XSS attack that reads the cookie and
displays the session ID in an alert.
Second part is about sessions. According to the notes for the cookies
page at php.net, it's considered bad practice to store user IDs and
passwords in cookies. It's considered better practice to use PHP's
native session-handling code to do this. But if a user has cookies
turned on in the browser, then PHP will store the session information
(possibly user ID and password) as a cookie. So what's the difference?
session stuff is stored server side, only the session ID is stored in
It is still a bad idea to store username and password in the session
because if you are on a shared server and you are not using a DB for
session management (default is not to) another user on the server can
read your cookies.
Even if you are using a database for session management, storing
username/password in the session is a risk in case there is an sql
injection attack that succesfully dumps your session database (which is
bad enough w/o it exposing passwords).
I store a user id in the session and get the username from a db lookup
if/when I need the username (but storing the username itself isn't
really dangerous and would save an sql lookup in some cases).
There's no need to store password. If the user is not logged in, the
session userid is set to 0. Anything that requires authentication in my
code requires a session userid > 0 - and the userid can only be changed
to a positive value via login.
A gotcha - changing a session variable doesn't actually happen until the
So if you set a session variable and then use the session variable later
in the script, it will use the OLD value and not the new value, because
the new value hasn't yet been written to the session.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php