0

The administrative control panel for a site I am building needs a login script. The active users are stored in a mysql table, but once a user is authenticated, should I store the token as a session or a cookie? Which (if either) is more secure?

drewwyatt
  • 5,989
  • 15
  • 60
  • 106
  • 2
    Please, read this: http://stackoverflow.com/questions/1221447/what-do-i-need-to-store-in-the-php-session-when-user-logged-in/1225668#1225668 – Klaus S. Dec 19 '11 at 23:07

2 Answers2

3

Sessions, definitely. They're stored on the server. Cookies are stored on the client side and can be easily edited by the user.

Indranil
  • 2,451
  • 1
  • 23
  • 31
  • 1
    and they can be captured and used to control user data from a "man in the middle" ... So I agree.. – DonCallisto Dec 19 '11 at 23:08
  • 2
    The default session handler in PHP is still vulnerable to a man-in-the-middle attack (since a session is really just a cookie too). The best way to circumvent it is to switch to HTTPS. – Halcyon Dec 19 '11 at 23:11
1

A session is nothing more than a server side cookie in the sense that the data is stored on the server. The client still gets a cookie, for PHP it's (PHPSESSID or something like that) which is just a number identifying the session.

Some advantages of using sessions is that you don't have to pass the data with every request and that the client can't 'mess' with it.

Also, in PHP you can implement your own session storage mechanism, so you're not tied to any session size limit, but that's probably well outside of your scope :P (session_set_save_handler, see PHP.net for more info).

Halcyon
  • 57,230
  • 10
  • 89
  • 128