I'm going to use Codeigniter's session data for my login system, but first I wanted to understand them, so I read the user guide, and from what I understand, Codeigniter's session data are just cookies.
Is this true? which means if the user disables cookies he wont be able to login to any website using Codeigniter's session data?
quoted:
The Session class stores session information for each user as serialized (and optionally encrypted) data in a cookie
So that means I should create my own native PHP session data to make users who disable cookies able to login my website? or Codeigniter's session data are not just cookies?
Yes, the CodeIgniter's inbuilt session class does use cookies, however, even the standard Sessions in PHP need cookies.
Thus, no matter which route you go, CodeIgniter Session, or the standard Session, either ways if the user does not have cookies enabled, Sessions won't work.
The advantage of CodeIgniter's Session class is it automatically encrypts the data as well to prevent cookie tampering, plus allows you to authenticate the cookie against a database.
Sessions in CodeIgniter or any other application using HTTP protocol are best kept track of using cookies. Normally, the session data itself is not stored using cookies, but a key to access this data is, whether the actual session data is stored in server's filesystem or in a database.
PHP allows to set session ID through cookies, POST or GET, but it is preferable to always use cookie or you will be opening doors to session fixation using ini_set('session.use_only_cookies', true). Practically everybody do have cookies enabled.
Related
Since keeping a session active for a long period doesn't seem very reliable (when using session_set_cookie_params), it seems like the next best option is to store a cookie along with the session.
When the user logs in, I create a random hash and store it in a database table beside their user id. I then create a cookie and store the hash within it.
If the cookie exists, I extract the hash, do a database search for the user id and automatically log the user in.
If on an open WIFI network, XSS attacked or have a virus/malware, what stops this cookie from being copied and used by some hacker?
What is the best way to keep a session active forever, or until the user logs out?
to safeguard cookie from xss set HttpOnly flag in cookie. to prevent sniffing use secure ssl connection and set the cookie secure flag too.
Something we do is we use a custom session handler, and then use a memcached/mysql storage to backend it. Since the session cookies can be set to a longer timeout, we load the data from memcached. if it's not in memcached we load it from the database. If it's in neither, it's a new session. This way you don't have the generate new session IDs (PHP still handles that) but you do have to manage the data inside the sessions.
The administrative control panel for a site I am building needs a login script. The active users are stored in a mysql table, but once a user is authenticated, should I store the token as a session or a cookie? Which (if either) is more secure?
Sessions, definitely. They're stored on the server. Cookies are stored on the client side and can be easily edited by the user.
A session is nothing more than a server side cookie in the sense that the data is stored on the server. The client still gets a cookie, for PHP it's (PHPSESSID or something like that) which is just a number identifying the session.
Some advantages of using sessions is that you don't have to pass the data with every request and that the client can't 'mess' with it.
Also, in PHP you can implement your own session storage mechanism, so you're not tied to any session size limit, but that's probably well outside of your scope :P (session_set_save_handler, see PHP.net for more info).
I want my users to have secure session on my website. What must i store in cookie to recognise each user?
Every time user logs in, cookie value must be changed.
P.S. I want to make a database with cookie values which link to user id.
a session id?
You should store a session ID in the cookie. That said, you should NOT have to do this yourself. Use PHP sessions, it does all the cookie handling for you.
Why do you need to store the session IDs in a database? If you need semi-temporary data to travel with the user during their session, you can use the $_SESSION variable for that. It is documented as part of the guide above.
PHP does not have native support for storing session IDs on the server in a database, you would have to write that yourself, or use a library that already provides that functionality, like CakePHP.
A cookie should be a cryptographic nonce that is used to reference server side state. IE: A session id. All web application platforms have their own session handler. In php you just call session_start() and then use the $_SESSION[] super global.
I`m going to implement a login feature to a website that I`m building ... I have two options while implementing, cookies and sessions.
Which will be better to use for each of these scenarios?
Remember Me.
Sign In/Login.
Shall I use sessions or cookies? or both?
If both, how can I create, store and load cookies? And how can I add the cookies to the session?
Session is used with login and this is the standard way to do the login thing.
Remember cookies and session both are different.
Of course session uses cookie to identify the session of current user.
and the remember me works on cookies save the userid and pass in cookies and implement remember me.
You can create cookies with php function setcookie() and for your second question session create a cookie by itself and maintain the session id as cookie value so don't need to handle session cookie by yourself.
For the case that you mentioned, you certainly have to use both.
Session is needed for server side verification while cookies are needed storing information in the client side.
Here are the links for Sessions and Cookies from PHP Site.
Do i login using cookies or sessions in a login system? I've seen examples using sessions and cookies so i am confused! Can someone please explain this?
What do most sites use? love to know!
Thanks in advance;-)
Sessions - in most cases - use cookies to store their session id so its pretty much always a case that you are using both. Most sites will use sessions as cookies are inherently insecure as data is stored at the client side where as session data is stored on a server. It is largely a matter of security and what data you intend to store but since its so easy to modfify cookie data then you should never really trust anything within cookies.
Login with Sessions because they are safer than cookies in that user's don't have direct access to your cookies.
BUT, when you use sessions, you are also using cookies, so in fact you are using both...
ex:
//query to get username from database
$_SESSION['user_id']=___
$_SESSION['username']=____
DON'T store passwords or anything sensitive in sessions or cookies
A session is your server or applications idea of a person. In default PHP, when you create a session, a cookie is sent to the browser for storage. Every time the browser makes a request, it will send the cookie along and the server will lookup the information it has associated with that cookie. Sessions are good for storing user settings or server information because the user only ever sees the session key.
With cookies you can set a preference independent of the user or session at your site. Like the style of the page or whether this is a shared browser. This information will be sent with requests from that browser, so can be accessible from server scripts. The bonus with cookies is that javascript can use their values for processing without backend support (for static pages), and that the user can change them themselves.
Good advice above should be followed: put nothing in cookies you wouldn't want anyone to see.
Not only can the user see them, anyone with access to the users computer or the network connection between you and the user can see them.
It is a bit of a minimalistic answer but here goes:
- If your login system has a "remember me" feature, it very likely uses cookies but not sessions
- If not, it uses cookies and sessions (because sessions use cookies as per said in above posts)
Hope it helps