Which is better and safer and why? storing session id in cookie or having the parameter disclosed in the url ?
-
-
Having it in the url is a bad idea as they are passed to other sites via referrer when a user clicks an external link on your site. (Unless they have an outgoing page with no session on it).
They can be easily stolen and also can be easily socially engineered .
However if you are swapping from url sessions to $_SESSION or $_COOKIE then you need to make sure you secure your script, as you can cause even worse security problems than you had originally had.
-
when setting cookie, using the http only option as true would help to reduce xxs attacks correct? or is it not necessary?Comment
-
Yeah it helps.
Make sure you are also protected from CSRF attacks when using cookies.Comment
-
And that can be done by implementing a unique hidden token that would only authenticate the real user.Comment
Comment