|
Shawn Harrison
harrison at tbc.net
Wed Feb 9 09:47:28 EST 2005
> On 09/02/2005, at 11:21 AM, Jef Dodson wrote: > >> This might be a naive question, but how does one know whether to use a >> Cookie or a Session for >> session/state management? What are the major differences? My >> interest is in simply allowing >> someone to login to a site and then be able to identify that user when >> they make subsequent >> requests in order to send them customized content. So, this is pretty >> standard stuff, but is it >> better to use cookies or session objects for this. Thanks. > If you use cookies directly, each variable that you want to set (such as username) is stored client-side, in the browser of the person looking at the page. If you use session objects, only the session id is stored client-side. All the other variables are stored server-side, keyed to the session id. Byron Ellacott wrote [02/08/05 11:41 PM]: > > [...] > > Just bear in mind, it would be trivial to spoof yourself to appear to be > another user with such a simple scheme. If this is in any way bad, you > would probably want to consider at least using a SignedCookie instead of > a regular Cookie object. The documentation for the Cookie module can > help you further. > I recently set up session management on my last project and had the same question about "Session vs just Cookie" for session management. I ended up going with the Session object primarily because the session id, which is stored in a cookie, would be very hard to spoof. Then the username and any other information is stored server-side. This arrangement is a bit more secure than just storing usernames in cookies. -- ________________ harrison at tbc.net
|