Geek asks and answers

Where can I store the username and username? sessions or cookies?

There are many instances in my code that require quick access to the username and user ID. I am currently using cookies. It's not safe.

I thought sessions would be a solution, but sessions expire.

Another option is to save the unique marker in the cookie, and then match it with the saved marker in the database to get the registered user data. This is the safest solution, but the problem that I see in this is that there are many times in my code when a username and user ID are required, but requests will be unnecessary resources all the time (is this true?)

What's the solution?

+5
source share
3 answers

If this is not necessary on the client, make sure that it is not there.

Since userId is specific for a registered user, and not for a specific computer, a cookie is not like a path.

Basic authentication in PHP is usually done through sessions, so you can simply add userId to the session.

If the session time is too short, increase the session time.

+3
source

I am going to try to combine everything that was said in the comments into one answer. As such, please show some other users some love by enhancing their answers / comments! I will also give a brief overview of how sessions work to make the answer useful to a wider audience.

-, . PHP, , , PHP- $_SESSION superglobal. cookie .

, , . , cookie . , ! , , , PHP . , SSL ​​ , cookie SSL, HTTPS. .

, , , . , - 10 60 . reset - , , .

(.. " " ), cookie, . , , , . , , . , . , , . , !

:

  • . /dev/urandom, , mt_rand, - "", SHA1 .
  • (, PBKDF2 bcrypt), . SHA1 MD5 - !
  • , , .
  • cookie .
  • , cookie- , - cookie, , 2, . , .
  • ( 1).

script, (, 3 ) . , .

-, OWASP.

+4

​​ . , ​​ , . , cookie.

-4

More articles:


All Articles