1 00:00:00,390 --> 00:00:03,470 There's been an ongoing debate with where you should store 2 00:00:03,470 --> 00:00:05,700 authenticated user information. 3 00:00:05,700 --> 00:00:10,550 The debate is should you store your details in cookies or sessions? 4 00:00:10,550 --> 00:00:15,130 Although there is no 100% correct answer for this debate, I'm going to go 5 00:00:15,130 --> 00:00:19,560 over the differences between both, with the positives and negatives of each one. 6 00:00:21,030 --> 00:00:24,660 A lot of people will argue that using sessions is the correct way 7 00:00:24,660 --> 00:00:27,080 of storing information about the user. 8 00:00:27,080 --> 00:00:31,310 The reason I get from a lot of people when asking this is that it's easy. 9 00:00:31,310 --> 00:00:34,520 Although this argument is true, it is also easy for 10 00:00:34,520 --> 00:00:40,450 a hacker to gain access to the same session for cross-site scripting attacks. 11 00:00:40,450 --> 00:00:44,995 Sessions are prone to cross-site scripting because the sessions are accessible 12 00:00:44,995 --> 00:00:49,790 via JavaScript, and there is no good way to keep that from happening. 13 00:00:49,790 --> 00:00:53,490 Typically, when people go to prevent cross-site scripting on their site, 14 00:00:53,490 --> 00:00:58,770 they will just encode and, or escape all untrusted information. 15 00:00:58,770 --> 00:01:03,280 This kind of thing had worked in the past, but now, with package managers, 16 00:01:03,280 --> 00:01:06,700 you're pulling in JavaScript packages to include other scripts, 17 00:01:06,700 --> 00:01:09,670 such as Google Analytics and Analysis. 18 00:01:09,670 --> 00:01:14,750 If these scripts become insecure and compromised, anything you store inside of 19 00:01:14,750 --> 00:01:20,530 sessions is accessible to these scripts, even outside of package manager code. 20 00:01:20,530 --> 00:01:24,140 If your site contains a script that was placed maliciously, 21 00:01:24,140 --> 00:01:27,840 they now have access to sessions for everyone who visits your site. 22 00:01:29,050 --> 00:01:32,910 Because of the potential vulnerabilities of session storage, 23 00:01:32,910 --> 00:01:35,770 my recommendation is to use cookies. 24 00:01:35,770 --> 00:01:40,200 Cookie storage can be a little harder to work with, but with packages, 25 00:01:40,200 --> 00:01:45,060 such as the Symphony HTTP Foundation package, which we'll be using in this 26 00:01:45,060 --> 00:01:49,860 project, creating and updating cookies is much simpler. 27 00:01:49,860 --> 00:01:53,830 Cookies can have an HTTP-only flag set on them 28 00:01:53,830 --> 00:01:57,200 to make it only visible to the browser and no scripts on the site. 29 00:01:58,250 --> 00:02:03,140 One of the other nice features of cookies is the ability to set a cookie to only be 30 00:02:03,140 --> 00:02:08,660 transmitted over HTTPS, which makes it even more secure. 31 00:02:08,660 --> 00:02:12,810 The way we'll be using cookies is to store JSON that contains 32 00:02:12,810 --> 00:02:17,440 all information about the user, allowing the cookie to be stateless. 33 00:02:17,440 --> 00:02:22,410 The downside of cookies is that it is prone to cross-site request forgery, 34 00:02:22,410 --> 00:02:26,150 which allows a hacker to trick the browser into providing the cookie 35 00:02:26,150 --> 00:02:29,050 by using a form or image that is hidden from the user. 36 00:02:30,160 --> 00:02:35,340 Protecting against cross site request forgery is about securing your forms. 37 00:02:35,340 --> 00:02:39,790 The way this works is that you store a token in your user session 38 00:02:39,790 --> 00:02:44,510 that you also place in a hidden input field on all forms. 39 00:02:44,510 --> 00:02:48,000 Then, on a form submission, you would compare the token 40 00:02:48,000 --> 00:02:51,560 in the user session with the one from the form submission. 41 00:02:51,560 --> 00:02:52,590 If they match, 42 00:02:52,590 --> 00:02:56,190 you can proceed with whatever else your form is designed to handle. 43 00:02:57,260 --> 00:02:59,750 Please see the notes associated with this video 44 00:02:59,750 --> 00:03:04,152 to find out what you can do to prevent cross site request forgery.