Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.

Preview

Start a free Basic trial
to watch this video

Sign up for Treehouse

Cookies vs. Session Storage

2:57 with Alena Holligan and Brian Retterer

Cookies vs Sessions is an ongoing debate. We will explain what the difference is between the two and when you would use one over the other.

Further Reading:

  • 0:00

    There's been an ongoing debate with where to store authenticated user information.

  • 0:05

    The debate is, should you store your details in cookies or session?

  • 0:10

    Although there is no 100% correct answer for this debate, I'm going to go over

  • 0:15

    the differences between both, with the positives and negatives of each one.

  • 0:20

    A lot of people will argue that using sessions

  • 0:23

    is the correct way of storing information about the user.

  • 0:26

    The reason I get from a lot of people when asking this is that it's easy.

  • 0:31

    Although this argument is true, it's also easy for

  • 0:34

    a hacker to gain access to the same session for cross site scripting.

  • 0:40

    Sessions are prone to cross site scripting because the sessions are accessible

  • 0:45

    via JavaScript and there is no good way to keep that from happening.

  • 0:49

    Typically when people go to prevent cross site scripting on their site,

  • 0:54

    they will just encode and, or escape all untrusted information.

  • 0:58

    This kind of thing had worked in the past but now with package managers, you're

  • 1:02

    pulling in JavaScript packages to include other scripts such as Google Analytics and

  • 1:07

    analysis.

  • 1:09

    If these scripts become insecure and

  • 1:11

    compromised, anything you store inside of a session is accessible to these scripts.

  • 1:17

    Even outside of package manager code,

  • 1:20

    if your site contains a script that was placed maliciously,

  • 1:24

    they now have access to sessions for everyone who visit your site.

  • 1:28

    Because of the potential vulnerabilities of session storage,

  • 1:32

    my recommendation is to use cookies.

  • 1:35

    Cookies storage can be a little harder to work with but

  • 1:37

    with packages, such as the Symphony HTTP Foundation package, which

  • 1:43

    we'll be using in this project, creating and updating cookies is much simpler.

  • 1:49

    Cookies can have an HTTP only flag set on them

  • 1:52

    to make them only visible to the browser and no scripts on the site.

  • 1:57

    One of the other nice features of cookies is the ability to set a cookie to

  • 2:01

    only be transmitted over HTTPS, which makes it even more secure.

  • 2:07

    The way we'll be using cookies is to store JSON

  • 2:10

    that contains all information about the user, allowing the cookie to be stateless.

  • 2:16

    The downside of cookies is that they are prone to cross-site request forgery, which

  • 2:21

    allows a hacker to trick the browser into providing the cookie by using a form or

  • 2:26

    image that is hidden from the user.

  • 2:28

    Protecting against cross site request forgery has a few steps

  • 2:33

    that require storing a token in the PHP session

  • 2:36

    that you can also place in a hidden input field on all forms.

  • 2:41

    Then, on a form submission,

  • 2:42

    you would compare the token in the session with the one that was submitted,

  • 2:47

    to make sure that they're both the same before proceeding.

  • 2:50

    Please see the notes associated with this video

  • 2:53

    to find out what you can do to prevent cross site request forgery.

You need to sign up for Treehouse in order to download course files.

Sign up