How to correctly and safely use sessions in conjunction with cookies?

A

Artem2015-08-20 03:56:25

PHP

Artem, 2015-08-20 03:56:25

Dear gurus, once again I have to ask you for help!
I'm trying to implement an authentication-authorization mechanism, I've read articles about sessions and cookies, but I still couldn't organize all this information in my head.

Pass session ID in URL - is it worth it if the user has cookies disabled? After all, in my opinion, it is extremely unsafe. But if you disable such transmission, what to do with users who have cookies disabled?
What information to store in cookies, and what in sessions? The first thing that comes to mind is to store the session id in cookies, and everything else in the session: user id, ip, user-agent. But I feel that this is not correct.

Please point me to the right path.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander Taratin, 2015-08-20
@ber_enot

what to do with users who have cookies disabled?

Well, it means that the user knows what he is doing and will not be surprised that he cannot log in.

A

Arman, 2015-08-20
@Arik

When making requests, we check the session id in cookies, if not, then we send which label to cookies, we redirect to ourselves + another label to get, if there is a get label and no cookie label, then everything must be transmitted through get and post. I wanted to do this for phones for a long time, but in practice, some phones have just the same glitches at work, 10-15 normal requests, and then there are no cookies. A friend transferred everything to the get and everything worked fine, the only exception is that there is now dangerous data in the get.
In fact, all such old phones use operamini, which does not have such problems. You can completely forget about id-sessions in the get, but at the same time advise operamini if the user logged in from a very old model