About Cookies and Sessions

Posted on June 8, 2011 | Leave a comment

This evening I tried to find information about cookies and sessions, after searching on google I found several references about cookies and sessions. The following is a summary.

Cookies
Cookies are usually small text files that are stored on your computer’s browser directory or program data subfolders. Cookies are created when you use your browser to visit a website that uses cookies to keep track of your movements within the site, help you resume where you left off, remember your registered login, theme selection, preferences, and other customization functions.
Cookies are often indispensable for websites that have huge databases, need logins, have customizable themes, other advanced features.

Cookies usually don’t contain much information except for the url of the website that created the cookie, the duration of the cookie’s abilities and effects, and a random number. Due to the little amount of information a cookie contains, it usually cannot be used to reveal your identity or personally identifying information.
There are two types of cookies: session cookies and persistent cookies. Session cookies are created temporarily in your browser’s subfolder while you are visiting a website. Once you leave the site, the session cookie is deleted. On the other hand, persistent cookie files remain in your browser’s subfolder and are activated again once you visit the website that created that particular cookie. A persistent cookie remains in the browser’s subfolder for the duration period set within the cookie’s file.
A cookie is a text-only string of information that a website transfers to the cookie file of the browser on your computer’s hard disk so that the website can remember who you are.
A cookie will typically contain the name of the domain from which the cookie has come, the “lifetime” of the cookie, and a value, usually a randomly generated unique number. Two types of cookies are used on this website-session cookies, which are temporary cookies that remain in the cookie file of your browser until you leave the site, and persistent cookies, which remain in the cookie file of your browser for much longer (though how long will depend on the lifetime of the specific cookie).
Cookies can help a website to arrange content to match your preferred interests more quickly. Most major websites use cookies. Cookies cannot be used by themselves to identify you.

ref :
http://www.allaboutcookies.org/
http://en.wikipedia.org/wiki/HTTP_cookie
http://transiskom.blogspot.com/2010/08/pengertian-fungsi-dan-jenis-cookies.html
http://edutechnolife.com/cookie-pengertian-dan-kegunaannya/

Sessions
Sessions in PHP is a way of saving user specific variables or “state” across subsequent page requests. This is achieved by handing a unique session ID to the browser which the browser submits with every new request. The session is alive as long as the browser keeps sending the ID with every new request and not to long time passes between requests. The session ID is generally implemented as a cookie but it could also be a value passed in the URL. Session variables are saved to files in a directory specified in php.ini, the filenames in this directory are based on the session IDs. Each file will contain the variables for that session in clear text. First we are going to look at the old and insecure way of working with sessions; unfortunately this way of working with sessions is still widely used.

// first.php
// Initalize session management
session_start();
// Authenticate user
if ( … ) {
$bIsAuthenticated = true;
} else {
$bIsAuthenticated = false;
}
// Register $bIsAuthenticated as a session variable session_register(‘bIsAuthenticated’);
echo ‘To second page‘;
// second.php
// Initalize session management
session_start();
// $bIsAuthenticated is automatically set by PHP
if ( $bIsAuthenticated ) {
// Display sensitive information …
}

Why is this insecure? It is insecure because a simple second.php?bIsAuthenticated=1 would bypass the authentication in first.php. session_start() is called implicitly by session_register() or by PHP if the session.auto_start directive is set in php.ini (defaults to off). However to be consistent and not to rely on configuration settings we always call it for ourselves. The recommend way of working with sessions:

// first.php
// Initalize session management
session_start();
// Authenticate user
if ( … ) {
$_SESSION[‘bIsAuthenticated’] = true;
} else {
$_SESSION[‘bIsAuthenticated’] = false;
}
echo ‘To second page‘;
// second.php
// Initalize session management
session_start();
if ($_SESSION[‘bIsAuthenticated’] ) {
// Display sensitive information

}

Not only is the above code more secure it is also, in my opinion, much cleaner and easier to understand. Note: On multi host systems, remember to secure the directory containing the session files (typically held in /tmp), otherwise users might be able to create custom session files for other sites.

ref :
https://www.owasp.org/index.php/Session_Management#Sessions
http://en.wikipedia.org/wiki/Session_management

This entry was posted in Learn. Bookmark the permalink.

Leave a comment