Jump to content
Larry Ullman's Book Forums

Cookies And Security (Chapter 13)


Recommended Posts

In the Chapter 13 web app, cookies are used to verify if a person has administrator access.

 

It seems that using a cookie is similar to a password in the way that in the book, Larry says to set a cookie with sort of a random name and value. For instance, don't set a cookie with the name of 'login' and the value of 'true' (instead a cookie named Samuel is set with a value of Clemens). But, because cookies are easily viewed once they are set, for example using firebug on firefox, it seems like this is not the best method for veirifying who has access to a site and who doesn't.

 

For example. Lets say someone signs up for a username and password on my site, I grant that person permission to my site and set a cookie named Samuel with a value of Clemens. But lets say for some reason in the future I choose to deny that user access to my site. If while he had access to my site, he happened to check the name and value of the cookie, that person after he looses access to my site could easily create a cookie himself named Samuel with a value of Clemens. Then what?

 

Is this the method that websites actually use to verify login credentials? (obviously I know this is a beginner book and there is probably much more to it than this, but I was wondering if this was an easy way to mimic a login example, or if some form of this method is used in professional sites.)

Link to comment
Share on other sites

Sessions or the sessions array would be used rather than cookies which can easily be exploited. If you get Larry's next book php and mysql for dynamic websites you will see this in action. Or for more advanced stuff you can get his advanced php book that handles session info stored in the database to be extra secure.

Link to comment
Share on other sites

There's no one right answer. Generally, cookies are less secure than sessions, but the level of security needs to be right for the application itself. So you have to find the right combination of security, convenience, longevity, etc.

Link to comment
Share on other sites

Sessions or the sessions array would be used rather than cookies which can easily be exploited. If you get Larry's next book php and mysql for dynamic websites you will see this in action. Or for more advanced stuff you can get his advanced php book that handles session info stored in the database to be extra secure.

 

Thanks for the reply. Yeah, I already have the next book, looking forward to starting it soon.

 

Thanks.

Link to comment
Share on other sites

There's no one right answer. Generally, cookies are less secure than sessions, but the level of security needs to be right for the application itself. So you have to find the right combination of security, convenience, longevity, etc.

 

The more I am reading about security, the more this seems to become clear. Pretty much what I've learned is: nothing is totally safe.

Link to comment
Share on other sites

 Share

×
×
  • Create New...