Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I was creating a login system with PHP and I wondered: Why are sessions needed?
If I store a cookie with the userid and the sessionid doesn’t it pose the exact same security risks to storing a cookie with userid and password hash (given that the password hash is strong enough)? Yeah, someone could potentially steal the cookie, but isn’t it the same if they steal the sessionid cookie?
Could someone tell me what’s the reason for using sessions in every (reasonably secure) login system?
One of the benefits of a session is that you can generate a new one each time somebody logs in, and even periodically during a user’s visit. If you just used userid and some hash of the password, then as soon as somebody stole your cookies they would be able to log in as you indefinitely. Sessions expire.