I started using PHP a couple of months ago. For the sake of creating a login system for my website, I read about cookies and sessions and their differences (cookies are stored in the user's browser and sessions on the server). At that time, I preferred cookies (and who does not like cookies?!) and just said: "who cares? I don't have any good deal with storing it in my server", so, I went ahead and used cookies for my bachelor graduation project. However, after doin' the big part of my app, I heard that for the particular case of storing user's ID, sessions are more appropriate. So I started thinking about what would I say if the jury asks me why have you used cookies instead of sessions? I have just that reason (that I do not need to store internally information about the user). Is that enough as a reason? or it's more than that?
Could you please tell me about advantages/disadvantages of using cookies for keeping User's ID?
感谢大家在StackOverflow!
当您将#ID保存为cookie以识别登录用户时,您实际上是在向与他们无关的用户显示数据。此外,如果第三方试图在他们的浏览器中设置随机id作为cookie数据,他们将能够使服务器相信他们是用户,而实际上他们不是。这就是缺乏安全感。
您已经使用了cookie,正如您所说,您已经完成了项目的大部分。此外,cookie具有保留较长时间的特权,而会话结束得更快。所以会话在这种情况下不适合。在现实中,许多著名和流行的网站和服务使用cookie,你可以保持登录很长一段时间。但是如何使用他们的方法来创建更安全的登录过程呢?
here's the idea: you can help the way you use cookies: If you use random keys instead of IDs to recognize logged-in users, first, you don't leak your primary data to random users, and second, If you consider the Random key large enough, It will be harder for anyone to guess a key or create a random one. for example you can save a 40 length key like this in User's browser:
"KUYTYRFU7987gJHFJ543JHBJHCF5645UYTUYJH54657jguthfn"
and it will be less likely for anyone to create the exact key and pretend to be someone else.
这个概念是跨页面加载为web访问者存储持久数据。cookie直接将其存储在客户机上。会话使用cookie作为某种密钥,与存储在服务器端的数据相关联。
最好使用会话,因为实际值对客户端隐藏,您可以控制数据何时过期并失效。如果它完全基于cookie,用户(或黑客)可以操纵他们的cookie数据,然后向您的站点发送请求。
编辑:我不认为使用cookie有任何好处,除了简单。这样看……用户有任何理由知道他们的ID号吗?通常我会说不需要,用户不需要这些信息。在需要知道的基础上,提供信息应该受到限制。如果用户将cookie更改为不同的ID,应用程序将如何响应?这是一个安全隐患。
在会话盛行之前,我基本上有自己的实现。我在客户机上存储了一个唯一的cookie值,并将我的持久数据与该cookie值一起存储在数据库中。然后在页面请求中,我匹配这些值并获得持久数据,而不让客户端控制这些数据。
