Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it safe to store user object in a cookie?

I have a user object which contains information about the user (username, ip, country, name, email... but NOT password). Should I store just the username in the cookie and then retrieve all info from DB upon loading the page, or just store the entire User object in the cookie?

like image 360
Gal Avatar asked Nov 23 '09 14:11

Gal


1 Answers

You can't trust any information stored in a cookie, as the user can manipulate it at his/her leisure.

I suggest using a PHP session to store the object. That way, the end user only has a session ID stored in a cookie, with the real data on your server.

The session will eventually time out, though... forcing the user to log in again.

Edit: Whoops, I should point out that sessions are really easy to use. Just do the following:

session_start(); // This MUST be at the very top of every page that accesses the session

// Store something in the session with the key 'something'
$_SESSION['something'] = "Hi, I'm a session!"; 

// Retrieve 'something' from the session
$myString = $_SESSION['something'];
like image 150
Powerlord Avatar answered Oct 10 '22 14:10

Powerlord