Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
Cookies vs Sessions is an ongoing debate. We will explain what the difference is between the two and when you would use one over the other.
There's been an ongoing debate with where
to store authenticated user information.
0:00
The debate is, should you store
your details in cookies or session?
0:05
Although there is no 100% correct answer
for this debate, I'm going to go over
0:10
the differences between both, with
the positives and negatives of each one.
0:15
A lot of people will
argue that using sessions
0:20
is the correct way of storing
information about the user.
0:23
The reason I get from a lot of people
when asking this is that it's easy.
0:26
Although this argument is true,
it's also easy for
0:31
a hacker to gain access to the same
session for cross site scripting.
0:34
Sessions are prone to cross site scripting
because the sessions are accessible
0:40
via JavaScript and there is no good
way to keep that from happening.
0:45
Typically when people go to prevent
cross site scripting on their site,
0:49
they will just encode and, or
escape all untrusted information.
0:54
This kind of thing had worked in the past
but now with package managers, you're
0:58
pulling in JavaScript packages to include
other scripts such as Google Analytics and
1:02
analysis.
1:07
If these scripts become insecure and
1:09
compromised, anything you store inside of
a session is accessible to these scripts.
1:11
Even outside of package manager code,
1:17
if your site contains a script
that was placed maliciously,
1:20
they now have access to sessions for
everyone who visit your site.
1:24
Because of the potential
vulnerabilities of session storage,
1:28
my recommendation is to use cookies.
1:32
Cookies storage can be a little
harder to work with but
1:35
with packages, such as the Symphony
HTTP Foundation package, which
1:37
we'll be using in this project, creating
and updating cookies is much simpler.
1:43
Cookies can have an HTTP
only flag set on them
1:49
to make them only visible to
the browser and no scripts on the site.
1:52
One of the other nice features of cookies
is the ability to set a cookie to
1:57
only be transmitted over HTTPS,
which makes it even more secure.
2:01
The way we'll be using
cookies is to store JSON
2:07
that contains all information about the
user, allowing the cookie to be stateless.
2:10
The downside of cookies is that they are
prone to cross-site request forgery, which
2:16
allows a hacker to trick the browser into
providing the cookie by using a form or
2:21
image that is hidden from the user.
2:26
Protecting against cross site
request forgery has a few steps
2:28
that require storing
a token in the PHP session
2:33
that you can also place in
a hidden input field on all forms.
2:36
Then, on a form submission,
2:41
you would compare the token in the session
with the one that was submitted,
2:42
to make sure that they're both
the same before proceeding.
2:47
Please see the notes
associated with this video
2:50
to find out what you can do to
prevent cross site request forgery.
2:53
You need to sign up for Treehouse in order to download course files.
Sign up