Saving data for those with cookies disabled

Question

I've got a website with a login feature, and I'm storing the person's username into a cookie.

I've got a few questions:

If I want to have the person's username saved, should it be done solely as a session or a cookie?
What should I do for those who have cookies disabled? Should I not store anything and just have them log in each time?

Thanks.

If cookies are disabled, session cookies still work with the direct URL as GET variables. `?session=d41d8cd98f00b204e9800998ecf8427e` I would recommend showing some sort of a page indicating that the user should enable cookies instead. — Dave Chen, Aug 24 '13 at 05:28

score 4 · Answer 1 · edited May 23 '17 at 11:49

4

A user's details should be saved in a session. Session variables are stored on the server, and only the session ID is exposed to the user. Use cookies to preserve the login state over a long time. Make sure to do it securely.
Users with cookies disabled can only use sessions via GET variable. The session ID is passed back to the server via the URL.

See How do Cookies and Sessions work? for more information.

edited May 23 '17 at 11:49

Community

1
1

answered Aug 24 '13 at 05:42

Madara's Ghost

172,118
50
264
308

Should the cookie be checked on every page load for security or just when the user logs in? – Erik Fischer Aug 24 '13 at 05:47
@ErikFischer: The session should be checked first. If there's no session ID, check the cookie to authenticate the user. All-in-all, there's nothing better than old-fashioned submit the login form again, to make sure the user is who he says he is. For more information about secure cookie, read http://jaspan.com/improved_persistent_login_cookie_best_practice – Madara's Ghost Aug 24 '13 at 05:48
Here's a short part of my login page. Is this secure? I'm using/showing the cookie on other pages after the user logs in, by the way: [http://pastebin.com/eKmzPq7m](http://pastebin.com/eKmzPq7m) – Erik Fischer Aug 24 '13 at 05:54
@ErikFischer: Your cookie is not secure. You are only keeping the user's username, which implies that your server will blindly believe that whatever username is written in the cookie, is the actual username of the user. For that reason, you don't need to know a user's password to log into his account, just his username (because if I alter my cookie to read "Admin", I would be instantly logged in to the account of that username). Read the article I linked for a more thorough and secure way. – Madara's Ghost Aug 24 '13 at 05:58

score 1 · Answer 2 · answered Aug 24 '13 at 06:01

If I want to have the person's username saved, should it be done solely as a session or a cookie?

The standard way to implement sessions is to use a cookie. The only question is if you want to store a persistent cookie so that they don't have to login again if they close their browser and then come back later.

What should I do for those who have cookies disabled? Should I not store anything and just have them log in each time?

While you can implement a session system by passing a token through the query string of every link and a hidden input in every form, this approach makes it easy to leak sessions (as people will copy/paste URLs and give them to other people) and requires more effort (especially if you ever start directing browsers to URLs using JavaScript).

Cookies are the standard way to hold state on the WWW and it is entirely reasonable for parts of a site that depend on state (such as tracking who is logged in) to only work if the user has cookies enabled.

It is a tiny minority of users who disable cookies, if they want to log in to a site, they can re-enable them.

score -1 · Answer 3 · answered Aug 24 '13 at 05:24

-1

Surly session is better,if you save it as cookie,anyone can inject by it.edit his/her browser cookie to login as other user.but maybe it's better to read about session hijacking too.

Instead of cookie for who has modern browser you can use Web Storage.

answered Aug 24 '13 at 05:24

Moein Hosseini

4,309
15
68
106

Are they actually "logged in" as another user (as in, could they post under their name, etc) or does it just display the other person's name on their screen? – Erik Fischer Aug 24 '13 at 05:39
It depends on your code,if you authenticate users with saved cookie which contain username,it logged in as another one and can act like his/her. – Moein Hosseini Aug 24 '13 at 05:42
For once, it's called localStorage, and second: w3schools is a wrong and misleading site. You shouldn't use it as reference for any sort of language. For PHP, there's the [PHP Manual](http://php.net), for JavaScript, there's [Mozilla Developer Network (or MDN)](https://developer.mozilla.org/). See http://w3fools.com to further understand why you should never use w3schools. – Madara's Ghost Aug 24 '13 at 05:43
local Storage + session Storage = Web Storage :) – Moein Hosseini Aug 24 '13 at 05:47
@MadaraUchiha: take look at http://www.sitepoint.com/html5-web-storage/ – Moein Hosseini Aug 26 '13 at 19:31

score -1 · Answer 4 · answered Aug 24 '13 at 05:30

-1

If you're only saving the username so a user is "remembered," and not the password, then using a cookie should be ok. But when retaining a users log-in info for each usage (ie session) then you should always use a session. In other words, only use a cookie for non-secure information that is needed from one use to the next and use sessions for secure info that is needed for each individual use.

answered Aug 24 '13 at 05:30

Lee Blake

341
1
2
15

Really? Are you sure about that? Because I can just change my cookie to read "Admin", and I'm suddenly logged in to the admin's account! – Madara's Ghost Aug 24 '13 at 05:44
You'd still have to know the admins password to actually log in. – Lee Blake Aug 24 '13 at 05:47
No you won't. If your cookie only keeps the username, and the server would just believe that whatever's written in that cookie is true, then all I need to know is the admin's username. The server will believe that I'm him because I have his password. – Madara's Ghost Aug 24 '13 at 05:49
But you don't have his password... you just have his username. – Lee Blake Aug 24 '13 at 05:55
So say I have this cookie, `username=Madara`, all is well. When I access the server, I present my cookie, and the server authenticates me as "Madara". What would happen if I change the cookie at my browser to read `username=LeeBlake`? – Madara's Ghost Aug 24 '13 at 05:58
Then the server would think you were LeeBlake. But if the developer has better coding skills than just checking the username in the cookie, then you get nothing. A cookie is just a file on the local machine. If you use it correctly, then there's nothing to worry about. – Lee Blake Aug 24 '13 at 06:05
let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/36153/discussion-between-madara-uchiha-and-lee-blake) – Madara's Ghost Aug 24 '13 at 10:30

Saving data for those with cookies disabled

4 Answers4