Cookies, usernames, and passwords

**PHP John** · Sep 16, 2002 21:26

When a cookie is sent to the client, is the data encrypted, or do I need to do that?

**Paul S** · Sep 16, 2002 21:37

No is not encrypted, is plain text (that's why they are not secure) Usually what do is use a non decrypting method, check this mini tutorial : http://www.sitepointforums.com/showt...threadid=76471

Paul

**Hartmann** · Sep 16, 2002 21:37

No, cookies are sent plaintext.... Take a look at some of the cookies in your Temporary Internet Folder.

**PHP John** · Sep 16, 2002 21:50

So would you encrypt it BEFORE sending it out with the cookie? And then when the client returns to the site, take the cookie data, compare it to the db without encrypting anything else, and then automatically log them in?
Is that about as secure as it gets? Or is there a better way?

**Hartmann** · Sep 16, 2002 21:53

Yes that would be the way to do it. I wouldn't use cookies though, sessions would be better since cookies are depreciated in PHP4.2

**PHP John** · Sep 16, 2002 21:57

I'm using sessions, but I want my clients to be able to come to the site and not have to go through the log in process in order to access the information. I thought that cookies would allow me to do that, like here on SitePoint. I don't have to log in everytime I come to the site to post a message.

How would you go about doing that, or will it eventually become obsolete?

**Paul S** · Sep 16, 2002 21:58

Originally posted by Hartmann
Yes that would be the way to do it. I wouldn't use cookies though, sessions would be better since cookies are depreciated in PHP4.2

I second that

Paul

**PHP John** · Sep 16, 2002 22:03

So, HOW can sessions do that? I am using user defined session functions that store session information in a database.

**Paul S** · Sep 16, 2002 22:04

Originally posted by PHP John
I'm using sessions, but I want my clients to be able to come to the site and not have to go through the log in process in order to access the information. I thought that cookies would allow me to do that, like here on SitePoint. I don't have to log in everytime I come to the site to post a message.

How would you go about doing that, or will it eventually become obsolete?

In that case you have to use cookies, it all depends on how sensitive is the information in your site.

Paul

**PHP John** · Sep 16, 2002 22:07

So, how do session do the job of cookies? Are they stored on the client's computer, like cookies are now?

(this is new territory for me)

**dragonhawk** · Sep 16, 2002 22:28

I'm curious to know too...

Let's say, if i set a cookie on the client's computer in plain text, how is that a security risk unless the client is on a shared computer or unless someone outside manages to get into the computer to view all the cookies?

On the second point, is it possible to set up a firewall to stop people from browsing through the cookies on your site? or is there a way around it?

**philwong** · Sep 16, 2002 23:13

use cookies and encrypt them with md5 or something like that

**Mincer** · Sep 17, 2002 02:21

Originally posted by Hartmann
Yes that would be the way to do it. I wouldn't use cookies though, sessions would be better since cookies are depreciated in PHP4.2

What?

Cookies and sessions are not one and the same, and I don't think that cookies are deprecated, where are you getting this information?

**Owen** · Sep 17, 2002 10:43

Well I think they were exagerating. They meant that when storing data for only one session you shouldn't use cookies, but sessions, since they are more secure and easier to use. But for data that needs to be stored for a long time (such as a visit counter) then cookies are the only way to do it.

Owen

User Tag List

Thread: Cookies, usernames, and passwords

Thread Tools

Display

Cookies, usernames, and passwords

Bookmarks

Bookmarks

Posting Permissions