Session vs Cookie

Results 1 to 3 of 3

Thread: Session vs Cookie

  1. #1
    Join Date
    Dec 1969

    Default Session vs Cookie

    This site has a few articles that explain to us that sessions are harmful, so I removed all the sessions on my site and used alternatives to replace them. <BR><BR>I use a cookie to keep track of whether an user has logged in or not. I didn&#039t specify the expire period, so the cookie won&#039t be stored in the Cookies folder of the user PC. I felt safe as I thought that the user couldn&#039t edit the cookie until I&#039ve read an article from CNET (please refer below).<BR><BR>"The problem with session state management is that it is fundamentally insecure. A hacker can intercept the cookies, form values, or URLs that are used to manage the session state when they are passed back and forth between browser and server. Once intercepted, the hacker can then use this information to take over the user&#039s session." --<BR><BR>Can someone explain to me what&#039s the best way (session or cookie) to authentic users? Thank you.

  2. #2
    Ian Stallings Guest

    Default RE: Session vs Cookie

    This is actually a good, accurate article. If security is a big<BR>issue on the site then perhaps you should consider using SSL to<BR>encrypt the transmission of the username and password. If you<BR>wanted you could also encrypt the u/p in the cookie and decrypt<BR>it on the server. This is the solution I would recommend for a <BR>good secure site and the one I&#039ve actually used on quite a <BR>few large transaction based sites.<BR>

  3. #3
    JHodges Guest

    Default RE: Session vs Cookie

    That article is correct and it happens a lot. I use sessions but i did my own encrytion and stored the information in the database instead of a cookie on the user machine.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts