With regards to security and convenience which cookies are better the PHP ones or the JavaScript ones?
-
18I didn't know HTTP cookies came in different flavours.Greg Hewgill– Greg Hewgill2009-08-15 12:23:27 +00:00Commented Aug 15, 2009 at 12:23
-
3@Greg, actually it does :). There is a Cookie2 specification. Only supported by Opera though.Ionuț G. Stan– Ionuț G. Stan2009-08-15 13:10:24 +00:00Commented Aug 15, 2009 at 13:10
-
2Cookies and security never go in the same sentence.Mike B– Mike B2009-08-15 22:49:25 +00:00Commented Aug 15, 2009 at 22:49
-
@Mike B, well that's very naive and wrong. It only matters what you store in it.Noon Silk– Noon Silk2009-08-16 04:00:30 +00:00Commented Aug 16, 2009 at 4:00
Add a comment
|
6 Answers
They are the same ones, in both cases the cookie is sent to the browser, stored there and the browser send it back to you every request until it expires or is deleted.
For that reason, you should never use cookies for security as your question implies nor for any data which you consider important to keep unaltered by the end user.
There are five things to always remember when you use cookie:
- You cannot trust its content.
- You cannot assume it will still be there on the next request.
- You cannot trust its content.
- You cannot assume the user never visited before if it's not there.
- You cannot trust its content.
If you get that, accessing cookie from PHP or JavaScript is simply a question of what's more convenient to you.
1 Comment
MiffTheFox
If you think cookies are secure, you should look at this plugin for Firefox -> addons.mozilla.org/en-US/firefox/addon/573
I'm not sure if at the time you asked the question you were aware of the fact that some browsers support an additional HTTPOnly flag for cookies. In that regard, cookies sent with PHP, that contain the HTTPOnly flag cannot be modified by client-side JavaScript code in browsers that support the feature, which strengthens the security somehow.
So, users that have a browser supporting HTTPOnly cookies, will be better protected against XSS attacks.
Comments
There is no such thing as a 'php' cookie or 'JavaScript' cookie.
A cookie is a cookie. The import thing is what you store in it. So, what are you storing in them?
4 Comments
Ionuț G. Stan
There are no PHP or JavaScript cookies, but there are HTTPOnly cookies, that only PHP can set.
mkamthan
Silky I am aware of the fact but I wanted to know about the pros and cons wrt the implementation of the cookies in PHP or JS
Noon Silk
It doesn't matter, (only in regards to HttpOnly as discussed). As i said, it's important what you are putting in it. Where you set it doesn't matter.
arsenik
if you want to set cookie after load balancer response then javascript ;p
Well I'm not a security guru, but one thing's for sure. If you set them in JavaScript, since it's front-end, the user will see how you read and write your cookies and what you put in them, which means he has a lead. While doing this in PHP, will not show him how you're reading and writing them and what are you doing with them.
4 Comments
Lepidosteus
The end user can see the cookie either way
Matthew Scharley
It will still show the value, and an intelligent user can probably work out what it is anyway, unless it's encrypted (no, base64 doesn't count), or something unintelligible like a hash/sessionid.
treznik
Yes, he can see it, but if it's encrypted or something, he will not see how it's built.
Lepidosteus
skidding: while I understand where you're going with that, this is not the kind of security I would vouch for. If the user reading its content is a security concern, then it probably shouldn't be in a cookie.
If you are talking about Session cookies, then they can be considered to be secure in comparison with normal ones.
Comments
They are exactly the same, when you call setcookie() on PHP, all it does is send a HTTP header that is interpreted by the browser to store a cookie for a given lifetime. The same happens with Javascript.
