DISQUS

MrLollige · 8 months ago

I just realized: Isn't this very unsercure? If I create a cookie myself that has your username in it, I am automatically logged in on your account right?

And why do this instead of just checking if there still is a cookie? I do not need to know the user ID anyway.
Also, in my version of the game I am making with your tutorial, I stored the ID in the cookie too, because you really need it often. Or is retrieving data from the database faster/better than retrieving data from a cookie?

Please explain what and why you did this :)

Luke · 8 months ago

Realistically, any authentication system you build is unsecure - but PHP's
sessions are 'safe enough'. As far as I'm aware(although I'm sure someone
will correct me if I'm wrong), sessions are stored in an encrypted format in
the cookie - which makes it a little harder for an attacker to just create a
cookie with your username inside it.
Storing the ID does seem like a better way to do it, if you're going to need
the ID very often - it's definitely faster to retrieve something from a
cookie than the database.

MrLollige · 8 months ago

Ill do some research on phps sessions function, that will get me more information :D
Thanks again for your reply!

(Still even an encrypted cookie is copyable. If you see a computer where someone is logged in, you could copy the cookie and use it yourself forever. But I am not planning on working with session IDs -_-)

MrLollige · 8 months ago

I expected sessions were just a form of standard cookies. But it seems they are not, and secure as you said :)
Thanks for sharing this information!