On Thu, 2010-07-08 at 09:53 -0700, Michael Calkins wrote:

> I right now have a complete user login and registration system however it 
> uses cookies when you login to store information.  Is this a bad 
> thing?$_COOKIE vs $_SESSION for login systems
> From,Michael calkinsmichaelcalk...@live.com425-239-9952
> _________________________________________________________________
> The New Busy is not the too busy. Combine all your e-mail accounts with 
> Hotmail.
> http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4

VERY bad idea! :p

Basically, cookies should only be used to store general non-personal
information. Sessions are for anything that you want to keep out of
prying eyes. The reason being is that cookies are just plain text files
on the client machine, and can effectively be read by another program or
person very easily.

Sessions make use of cookies to store the session_id whilst a user is
logged in, but you should destroy the session after you no-longer need
it to remove the chance of someone getting hold of it and spoofing a
request to your server. This can be done by destroying the session when
a user logs out and setting a default timeout on a session.

Sessions are easier to use I've found than cookies. You can add
information to the session and read it right back without need the
clients browser to make a new request to your server with the updated
cookie in the header. You can store far more information in a session
(exactly how much more depends on your server setup obviously) and in a
much more logical manner than a cookie.

This is not to say that cookies don't have their uses, but I think for a
login system they introduce potential security issues which can be


Reply via email to