Good practices for a login system Sessions / Cookies

Navigation
2

I would like to know some important points when it comes to making a login system:

Sessions Cookies

  • Which one is most appropriate for security issues?
  • Which uses less server resources? (case in a large application)
  • Which is the fastest?

And other important tips for a more efficient system.

    
asked by anonymous 06.08.2016 / 21:06

1 answer

4

In security issues: Session wins because cookies are text files saved on the client computer, so they can be manipulated.

However, to avoid session manipulations, you should specify some security settings (for more information read the PHP about Sessions and security , which will help prevent Session Hijacking and Session Fixation : 

    ini_set('session.gc_maxlifetime', ($timeout * 60)); // tempo máximo da seção em segundos
    ini_set('session.use_strict_mode', true); // aceitar apenas sessões criadas pelo módulo session
    ini_set('session.use_cookies', true); // usar junto com use_only_cookies
    ini_set('session.use_only_cookies', true); // cookies gerados apenas pelo proprio usuário
    ini_set('session.cookie_httponly', true); // cookies só acessíveis por HTTP (não JS)
    ini_set('session.cookie_secure', true); // cookies só acessíveis por HTTPS
    ini_set('session.hash_function', 'sha512'); // criptografa session: dificulta Session Hijacking       
    ini_set('session.use_trans_sid', false); // suporte a SID transparente desabilitado
    ini_set('session.referer_check', 'https://www.seusite.com.br'); // checa o referer
    ini_set('session.cache_limiter', 'nocache'); // não fazer cache
    session_regenerate_id(); // renova ID da seção
    session_start(); // IMPORTANTE: ao final dos comandos acima

Ideally, for security reasons, you should use HTTPS for everything, but if you do not have HTTPS available on your php server, you will need to: 

ini_set('session.cookie_secure', false);

Which uses fewer server resources: Cookies can only be handled by the client computer through Javascript.

The fastest: Cookies, since they do not have to make requests to the server.

Final considerations: Use SESSION to save the data that is confidential and COOKIES to the other data.

NOTE: The storage resource for JAVASCRIPT is already available, faster and faster than cookies.

  

sessionStorage = data is CLEAR when browser is closed

     

localStorage = data is stored indefinitely

Usage: 

sessionStorage.setItem('variavel_temporaria', 'valor da variavel'); // seta valor
var conteudo = sessionStorage.getItem('variavel_temporaria'); // lê valor

localStorage.setItem('variavel_tempo_indeterminado', 'valor da variavel2'); // seta valor
var conteudo2 = localStorage.getItem('variavel_tempo_indeterminado'); // lê valor

I hope I have helped!

    
06.08.2016 / 21:35
Error removing object from an ArrayList Show result of a query in html - PHP + CodeIgniter.