On Wednesday, February 13, 2002, at 08:35 AM, Chris Skinner wrote:
> The answer that I have come to understand is that sessions are more > secure > than cookies in as that the information is stored on the server side > instead > of the client side. This way it is harder to steal, alter or intercept. > The other reason is that users can even reject cookies, thus disallowing > content monitoring or dynamic changes. The difference is more a matter of where the data is stored than the security of the data -- cookies are stored in the client's user agent, session variables are stored on the server. Cookie data is easily spoofed (anyone can whip up some Perl to tell the server that there is a cookie named "username" whose data is "erikprice"). But keep in mind that sessions, while stored on the server, still set a variable on the client side so that the user agent can constantly remind the server of who they are. The server would otherwise have no way of knowing that one request was from the same user agent as another. This is done either through setting a cookie called PHPSESSID (or something like that), which has a randomly generated ID number, or by appending the PHPSESSID to the querystring of each GET request made by the user agent. This is done by the PHP coder herself, not automatically, unless you have configured your PHP installation to automatically append a SID to -all- GET requests. Regardless of whether the identification is contained within a cookie on the client side or whether it is passed along in the querystring, it is transmitted unencrypted and so in theory is vulnerable to snooping. Unless you are connected to the server via SSL. A clever Perl script -could- hijack your session, but it would require the villain to be quick. Note that this is not a limitation of PHP but rather of the HTTP protocol which governs WWW interactions -- unless you're using an encrypted connection like SSL, there is no way around this fact. HTH, Erik PS: the transmission of viruses via cookies or sessions is not really relevant, though probably a common worry. ---- Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
