sessions use cookies, so.... they're just about the same! I would use an expiring session, and depending on the level of security you need, have it based on IP as well
store the ip in a cookie/session variable, and read it on each page load. if it changes, expire the cookie/session
PHPs online manual about sessions: http://www.php.net/session. A recent DP thread about session security: http://forums.digitalpoint.com/showthread.php?t=127825 Hope this will help you
If you want to be secure, don't store any information in session or cookie, just a randomised string that identifies a row in your database that contains the info you want. The load the data out of the database based on the session/cookie key. This way there's no security issues. cheers Glenn
If you're using sessions, I can still hijack a session, get someone else's unique id that you've stored in the session. Then with that id I'll have the credentials tied to it in the database. The problem is sessions are inherently insecure. You should regenerate the user's session id immediately before and after logging in and every 5 or 10 minutes. The single most important thing you can do is validate any data you're receiving from a user. If a username/password is only allowed to be alphanumeric you should check for any non-alphanumeric characters and stop the script cold if you find any. If you have a file upload, validate what types of files are being uploaded. -the mole *edit* here's a decent article on XSS and getting session_ids http://www.informit.com/articles/article.asp?p=603037&rl=1 (changed this url to the actual article)