View Full Version : Cookies: Are they unsecure?

01-07-2004, 05:15 AM
I read at php-freaks that cookies arn't enabled on a lot of browsers because they store user information. I use cookies on my site and want to know if this will make it so users on these browsers can't login at all, or just so they can't use the "stay logged in" function where their login information is stored? and do cookies act exactly like sessions if the user dose not decide to use the stay logged in function?

01-07-2004, 06:17 AM
On a forum, it will ask you to login. The info will be stored in a cookie. If the user has cookies disabled, it will say they logged in. on the next page and may say they have X amount of new messages, etc. But if they try to view a topic they shouldn't or do anything that a guest couldn't do, it will fail to see that they are logged in when it checks. It may be good practise to avoid using cookies unless you absolutely have to. You may want to make a notice or custom error message saying that cookies are required when you must use them.

01-07-2004, 06:44 AM
Never keep sensitive data in a cookie, and don't rely on support for cookies at all.

If you use PHP sessions it will store a cookie for the sessionid, and all other data will be stored on the server itself. If the client doesn't allow cookies then it will use transient SID - write the sessionid into URLs and forms and carry it between pages in GET or POST information.

01-07-2004, 11:28 AM
I would be interested to see any stats on how many users have cookies enabled/disabled (could not find any at a quick glance) but SecuritySpace.com (http://www.securityspace.com/s_survey/data/man.200312/cookieReport.html) reckon that 18% of sites utilise them , & many sites (wrongly IMO) rely on cookies for shopping carts etc to the extent that the site will not work without them.

All major browsers come with cookies enabled by default though some will disable them, but mostly not I suspect ... as Tail suggests if your site needs them , let the user know!

To check if your site works without cookies simply disable them in your browser preferences and see what happens !