On Wednesday, February 13, 2002, at 08:35  AM, Chris Skinner wrote:

> The answer that I have come to understand is that sessions are more 
> secure
> than cookies in as that the information is stored on the server side 
> instead
> of the client side.  This way it is harder to steal, alter or intercept.
> The other reason is that users can even reject cookies, thus disallowing
> content monitoring or dynamic changes.

The difference is more a matter of where the data is stored than the 
security of the data -- cookies are stored in the client's user agent, 
session variables are stored on the server.  Cookie data is easily 
spoofed (anyone can whip up some Perl to tell the server that there is a 
cookie named "username" whose data is "erikprice").

But keep in mind that sessions, while stored on the server, still set a 
variable on the client side so that the user agent can constantly remind 
the server of who they are.  The server would otherwise have no way of 
knowing that one request was from the same user agent as another.  This 
is done either through setting a cookie called PHPSESSID (or something 
like that), which has a randomly generated ID number, or by appending 
the PHPSESSID to the querystring of each GET request made by the user 
agent.  This is done by the PHP coder herself, not automatically, unless 
you have configured your PHP installation to automatically append a SID 
to -all- GET requests.

Regardless of whether the identification is contained within a cookie on 
the client side or whether it is passed along in the querystring, it is 
transmitted unencrypted and so in theory is vulnerable to snooping.  
Unless you are connected to the server via SSL.  A clever Perl script 
-could- hijack your session, but it would require the villain to be 
quick.  Note that this is not a limitation of PHP but rather of the HTTP 
protocol which governs WWW interactions -- unless you're using an 
encrypted connection like SSL, there is no way around this fact.



PS: the transmission of viruses via cookies or sessions is not really 
relevant, though probably a common worry.


Erik Price
Web Developer Temp
Media Lab, H.H. Brown

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to