Cookies vs. Session Storage

There's been an ongoing debate with where to store authenticated user information. 0:00 The debate is, should you store your details in cookies or session? 0:05 Although there is no 100% correct answer for this debate, I'm going to go over 0:10 the differences between both, with the positives and negatives of each one. 0:15 A lot of people will argue that using sessions 0:20 is the correct way of storing information about the user. 0:23 The reason I get from a lot of people when asking this is that it's easy. 0:26 Although this argument is true, it's also easy for 0:31 a hacker to gain access to the same session for cross site scripting. 0:34 Sessions are prone to cross site scripting because the sessions are accessible 0:40 via JavaScript and there is no good way to keep that from happening. 0:45 Typically when people go to prevent cross site scripting on their site, 0:49 they will just encode and, or escape all untrusted information. 0:54 This kind of thing had worked in the past but now with package managers, you're 0:58 pulling in JavaScript packages to include other scripts such as Google Analytics and 1:02 analysis. 1:07 If these scripts become insecure and 1:09 compromised, anything you store inside of a session is accessible to these scripts. 1:11 Even outside of package manager code, 1:17 if your site contains a script that was placed maliciously, 1:20 they now have access to sessions for everyone who visit your site. 1:24 Because of the potential vulnerabilities of session storage, 1:28 my recommendation is to use cookies. 1:32 Cookies storage can be a little harder to work with but 1:35 with packages, such as the Symphony HTTP Foundation package, which 1:37 we'll be using in this project, creating and updating cookies is much simpler. 1:43 Cookies can have an HTTP only flag set on them 1:49 to make them only visible to the browser and no scripts on the site. 1:52 One of the other nice features of cookies is the ability to set a cookie to 1:57 only be transmitted over HTTPS, which makes it even more secure. 2:01 The way we'll be using cookies is to store JSON 2:07 that contains all information about the user, allowing the cookie to be stateless. 2:10 The downside of cookies is that they are prone to cross-site request forgery, which 2:16 allows a hacker to trick the browser into providing the cookie by using a form or 2:21 image that is hidden from the user. 2:26 Protecting against cross site request forgery has a few steps 2:28 that require storing a token in the PHP session 2:33 that you can also place in a hidden input field on all forms. 2:36 Then, on a form submission, 2:41 you would compare the token in the session with the one that was submitted, 2:42 to make sure that they're both the same before proceeding. 2:47 Please see the notes associated with this video 2:50 to find out what you can do to prevent cross site request forgery. 2:53