SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Are session variables more secure then cookies?

    Are session variables more secure then cookies?

    Session cookies (cookies with no expiration) are destroyed when the browser is destroyed.

    Session variables are destroyed when the browser is destroyed OR after a time period.

    So, in that way, they are secure from the data persisting on the client.

    However, while they are in use, can cookies and/or session variables be made secure without encryption?

    How much more secure are session variables than cookies?

    -Mike-

  2. #2
    SitePoint Enthusiast jlrosine's Avatar
    Join Date
    Feb 2002
    Location
    Colorado
    Posts
    64
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    hmmm

    I hope I understand what you are asking. Session variables can be more secure, as it is a session created by the server....with a sessionid. So, say you use session based authentication, then you can store information only available to the current userid, or sessionid. Then the only way to grab it is session hijacking, which I've only heard of breifly.

    Wish I could help more, I'm just not sure I understand fully what your question was. Hope I helped.

    --Jeremy

  3. #3
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks, Jeremy. Maybe an example would be better.

    I want to temporarily store sensitive data on the client - say a credit card number, so everyone can relate to protecting it. Iím not going to worry about it being on the client for someone to grab later, because I am going to destroy it after I'm done.

    However, if I use a cookie to store it on the client, someone else may be able to see it before I destroy it since cookies are global variables to the world. One way to protect that data is to encrypt it, so someone could read it, but they canít decode it.

    Maybe session variables would work. We use session variables to store database connection strings in a secure way, but we arenít protecting much either.

    So I wanted to find out how secure a session variable is from anyone reading the variable data from the client (if they are reading the data from the server side, I got bigger problems):

    As secure as anything gets on a computer on the internet?
    As secure as https?
    Hard to read, but it can be done with a lot of work and knowledge?
    Easy for any half-decent hacker to read?
    Easy for just about anyone to read with knowing a few commands?
    My grandma can do it in her sleep?

    -Mike-

  4. #4
    SitePoint Enthusiast jlrosine's Avatar
    Join Date
    Feb 2002
    Location
    Colorado
    Posts
    64
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    more

    So your idea is to use a session variable like a cookie, but encrypt it on the client side, and have the server read it (decrypt it)? Correct? If this is the case, let me look at some documentation, in the meantime maybe someone can shed some light?

    -Jeremy

  5. #5
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, except I was wondering if I even need to encrypt a session variable due to its secure nature.

    -Mike-


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •