5 replies to this topic

[timpearson26]

In the Chapter 13 web app, cookies are used to verify if a person has administrator access.

It seems that using a cookie is similar to a password in the way that in the book, Larry says to set a cookie with sort of a random name and value. For instance, don't set a cookie with the name of 'login' and the value of 'true' (instead a cookie named Samuel is set with a value of Clemens). But, because cookies are easily viewed once they are set, for example using firebug on firefox, it seems like this is not the best method for veirifying who has access to a site and who doesn't.

For example. Lets say someone signs up for a username and password on my site, I grant that person permission to my site and set a cookie named Samuel with a value of Clemens. But lets say for some reason in the future I choose to deny that user access to my site. If while he had access to my site, he happened to check the name and value of the cookie, that person after he looses access to my site could easily create a cookie himself named Samuel with a value of Clemens. Then what?

Is this the method that websites actually use to verify login credentials? (obviously I know this is a beginner book and there is probably much more to it than this, but I was wondering if this was an easy way to mimic a login example, or if some form of this method is used in professional sites.)

[Edward]

Sessions or the sessions array would be used rather than cookies which can easily be exploited. If you get Larry's next book php and mysql for dynamic websites you will see this in action. Or for more advanced stuff you can get his advanced php book that handles session info stored in the database to be extra secure.

[Larry]

There's no one right answer. Generally, cookies are less secure than sessions, but the level of security needs to be right for the application itself. So you have to find the right combination of security, convenience, longevity, etc.

[timpearson26]

Sessions or the sessions array would be used rather than cookies which can easily be exploited. If you get Larry's next book php and mysql for dynamic websites you will see this in action. Or for more advanced stuff you can get his advanced php book that handles session info stored in the database to be extra secure.

Thanks for the reply. Yeah, I already have the next book, looking forward to starting it soon.

Thanks.

[timpearson26]

There's no one right answer. Generally, cookies are less secure than sessions, but the level of security needs to be right for the application itself. So you have to find the right combination of security, convenience, longevity, etc.

The more I am reading about security, the more this seems to become clear. Pretty much what I've learned is: nothing is totally safe.

[Larry]

Exactly: nothing is totally safe. And the worst security mistake one can make is thinking it's possible to be totally safe, let alone that you've implemented 100% security on a project.