Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

User Authentication Method?

Status
Not open for further replies.
alsaffar

alsaffar

Programmer
Oct 25, 2001
165
KW
Hi there,

Which one is better to use for user's authentication, cookies or sessions?

I just started coding a nice script for handling User's signUp and login using cookies, and I found that if the user forgot to logout and the cookie is not expired yet, any one can log to any page using the first guy userName and password in the same PC, cause I put at every page a small code to grab the userName and password from the cookie I set.

So, any idea how I can delete the cookie automaticaly when the user close the session and forgot to logout?
 
Sort by date Sort by votes
Don't set the expires argument to setcookie. That will delete it when the browser is closed.
And in my opinion, sessions are better for user authentication. Cookies can be very easily manipulated as they are stored on the users computer. If you use sessions, the information is stored on the server. //Daniel
 
Upvote 0 Downvote
Well, I tried not to set the cookie to an expire time, I just left it blank "", then I login as any user, and the browser asked me for setting myDomain cookies, after accepting those cookies, I logged in, and I can check that the cookie was set and I can get any information I need from this cookie like userID and UserName and Password via a script I made,

then, before I closed my session, I checked my cookies folder in my PC and I couldn't find my cookie there!!! so the cookie isn't stored at all in my PC even in the session life,

CONCLUSION:
----------
SO, if I didn't set the expiry date, and the session is not closed yet, the cookie will not be stored at all on the user PC, and so, no one can edit that cookie to gain through my database,

so, I think using cookies with no expiry date is secure enough.

QUESTION:
--------
Any comments on my conclusion?
 
Upvote 0 Downvote
Hi alsaffar

I am looking to add the same functionality into one the applications we have here, and I am not a php developer, can you be kind enough to share the code you wrote with me ?

If yes, please send it to miss_logic@hotmail.com

Thanks for your help
Brenda
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PeDa
  • Locked
  • Question
Basic Authentication fails to authenicate
Replies
0
Views
183
PeDa
PeDa
rmak78
  • Locked
  • Helpful tip
LIMIT USERS ACCESS PER DAY BY IP
Replies
0
Views
182
rmak78
rmak78
southbeach
  • Locked
  • Question
credit card parsing - Can anyone share a method/routine?
Replies
1
Views
69
southbeach
southbeach
southbeach
  • Locked
  • Question
store session in database - Is there a simple method? 1
Replies
4
Views
114
southbeach
southbeach
evil1966
  • Locked
  • Question
Multiple User Login Security and Tracking 1
Replies
9
Views
247
evil1966
evil1966

Part and Inventory Search

Sponsor

Back
Top