User identification using cookies in PHP/MySQL - Common Pitfalls and Conclusion (Page 3 of 3 )
Naturally, using cookies is not the safest method to protect your pages, since there are pitfalls. Here are some:
Cookies are not visible to your pages until first reload after you set it
Cookies must be deleted with same parameters as they were set with
Cookies can be stolen, their values read, since they are ASCII files
Cookies can be stored on proxy servers and thus exposed externally to userís computer
Not a safest method if user does access your pages through a public computer
In case user does not logout, cookie remains on his computer until it expires
But, since we are not passing usernames/passwords to cookies, no one can read them and try to login. Using logcodes we ensure somewhat unique identification of your users, and since logcodes are renewed upon each access to your protected pages, it makes it difficult to be stolen, since the thief must steal the cookie, read the value, setup a cookie on his own machine and access your pages, all within the timeframe between two clicks of your real user, or within the timeframe of his idle time.
Actually, we consider cookie-based user identification to be very secure, except if accessed from a public computer, but a proper logout fixes the problem. Force your users to return and logout if their connections are broken.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.