Advantages and disadvantages of cookie-based session in php-PHP source code

Now many of our friends will store the session in the cookie when performing website security verification, so that we can encrypt some data, so what are their advantages and disadvantages and those security problems? Next, let's make a comparison. Now many of our friends will store the session in the cookie when performing website security verification, so that we can encrypt some data, so what are their advantages and disadvantages and those security problems? Next, let's make a comparison.

Script ec (2); script

This article does not discuss session or cookie. Many websites now talk about cookie-based session. The advantages and disadvantages of cookie-based session are discussed below:

Advantages:

1. reduce the pressure on the server. For example, PHP sessions are in the file storage format by default, which reduces the disk pressure and does not cause more fragments to the disk.
2. When you are working on a cluster, do you want to synchronize sessions? The cookie-based session will be removed.

Disadvantages:

1. The same user may log on to multiple locations, and you cannot determine who is a real and valid user.
2. session records are stored locally in the cookie and may be obtained by the hacer. Through anehta, the cookie can be persistent to make the logon status valid permanently. Of course, you can record the timestamp when recording the cookie, verify the validity period on the server.
Personal suggestion:
In terms of security, as long as the processing is proper, the session and cookie are almost the same. In addition, we also need to consider the storage capacity of cookies. It is best not to place cookies on important information such as user information or permission information.

Who is safer than session and cookie?

Personally, I think the session is safer. I have the following opinions.

1. If the session is as secure as the cookie, the two will not exist at the same time. As long as the cookie is ready, the client will be able to split the server burden, it is transparent to users. Why not.

2. The session sessionID is stored in the cookie. To break the session, the first thing to do is to break the cookie. After the cookie is broken, you need to get the sessionID. The sessionID is generated only when someone logs on or starts session_start. You do not know when someone will log on. Second, sessionID is encrypted. During the second session_start operation, the previous sessionID is useless, and the sessionid expires when the session expires, it is difficult to break the sessionID with a secret in a short time. Session is for a communication, and the session ends with the disappearance of the session, and the real cookie exists in a text file on the client's hard disk, who is obviously safe.