Jump to content
Larry Ullman's Book Forums
Sign in to follow this  
timpearson26

Cookies And Security (Chapter 13)

Recommended Posts

In the Chapter 13 web app, cookies are used to verify if a person has administrator access.

 

It seems that using a cookie is similar to a password in the way that in the book, Larry says to set a cookie with sort of a random name and value. For instance, don't set a cookie with the name of 'login' and the value of 'true' (instead a cookie named Samuel is set with a value of Clemens). But, because cookies are easily viewed once they are set, for example using firebug on firefox, it seems like this is not the best method for veirifying who has access to a site and who doesn't.

 

For example. Lets say someone signs up for a username and password on my site, I grant that person permission to my site and set a cookie named Samuel with a value of Clemens. But lets say for some reason in the future I choose to deny that user access to my site. If while he had access to my site, he happened to check the name and value of the cookie, that person after he looses access to my site could easily create a cookie himself named Samuel with a value of Clemens. Then what?

 

Is this the method that websites actually use to verify login credentials? (obviously I know this is a beginner book and there is probably much more to it than this, but I was wondering if this was an easy way to mimic a login example, or if some form of this method is used in professional sites.)

Share this post


Link to post
Share on other sites

Sessions or the sessions array would be used rather than cookies which can easily be exploited. If you get Larry's next book php and mysql for dynamic websites you will see this in action. Or for more advanced stuff you can get his advanced php book that handles session info stored in the database to be extra secure.

Share this post


Link to post
Share on other sites

There's no one right answer. Generally, cookies are less secure than sessions, but the level of security needs to be right for the application itself. So you have to find the right combination of security, convenience, longevity, etc.

Share this post


Link to post
Share on other sites

Sessions or the sessions array would be used rather than cookies which can easily be exploited. If you get Larry's next book php and mysql for dynamic websites you will see this in action. Or for more advanced stuff you can get his advanced php book that handles session info stored in the database to be extra secure.

 

Thanks for the reply. Yeah, I already have the next book, looking forward to starting it soon.

 

Thanks.

Share this post


Link to post
Share on other sites

There's no one right answer. Generally, cookies are less secure than sessions, but the level of security needs to be right for the application itself. So you have to find the right combination of security, convenience, longevity, etc.

 

The more I am reading about security, the more this seems to become clear. Pretty much what I've learned is: nothing is totally safe.

Share this post


Link to post
Share on other sites

Exactly: nothing is totally safe. And the worst security mistake one can make is thinking it's possible to be totally safe, let alone that you've implemented 100% security on a project.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...