SESSION vs. URL

Question

I was wondering which method is best for passing users information from page to page. For instance, the unique user ID, would it be best to encrypt it and then pass it into the url,like this

$id= md5($row['user_id'])
http://siteName.com?ud=$id

or would it be better to use sessions to store the variable, like this

$_SESSION['user_id'] = $row['user_id']

I would like to know which is best and why, but I think both would work just fine, but I do not know for security issues.... Thanks

For security : 2nd option (URL in your 1st option can easily be modified). — darma, May 12 '13 at 21:23
@SLaks, really!!! MD5 is not encryption, I use to think they call it a one way encryption function — George, May 12 '13 at 21:25
http://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and-encryption-algorithms — PeeHaa, May 12 '13 at 21:26

score 4 · Answer 1 · answered May 12 '13 at 21:25

Put it in a session. If you put it in the URL and I'm logged in and want to show something to a friend, so I copy and paste the URL to an email/chat/whatever, and boom, he's logged in as me. Definitely not desirable. With sessions you don't have that problem.

score 0 · Answer 2 · answered May 12 '13 at 21:26

0

Use sessions.

To put session informations in the URL is old and bad. Example: If someone is in a webshop, and send a link to a product to a friend, they will use the same session.

answered May 12 '13 at 21:26

RobSky

325
2
6

SESSION vs. URL

2 Answers2