Friday, 28 December 2012

session and cookies


cookies is ways for the user to be identified by a website. After that,the nice thing about cookies is that they are decentralized. You do not need to worry about creating databases to hold information or adding and removing rows, you just store the data and check whether it is set. As such, cookies are good for any pages where you have got a small amount of information to handle usually this involves user preferences.


Sessions are variables that are stored on your server to identify a user. As opposed to cookies, users cannot directly modify them. But, there are still security risks involved. There are two main threats for session is session fixation and hijacking.

Session Fixation

Session Fixation is when a user goes to an already established session and loads their information into that session. By going into an already established session, the attacker can visit that session and gain the information that the user has inputted. A simple example of this is if you click on a link of a website where the session id has already been established.

Session Hijacking

Session Hijacking is the second type of risk, and is much harder to defend against. This is where the attacker can obtain your session id by packet sniffing or various other methods. For example, the attacker can be connected into your network and filter all of your data that is being sent to your router. Once your session ID has been obtained, he can visit that ID to gain access to all of your information.

No comments:

Post a Comment