Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialSerdar Halac
15,259 PointsIs sending the SessionID by cookie safer than sending the UserID by cookie because sessionID expires by UserID doesn't?
Because both can get you access to the data, right? I mean if someone is able to intercept your cookies and somehow decrypt them, and you have a session ID in that cookie, the attacker can simply user that SessionID to then get authorized, and then indirectly have a access to a UserId that then gets you any data you want, whereas if UserIDs are transmitted over cookies, someone would have a direct access to data by using that UserID to access the database.
So I guess what I'm asking is: is the only difference between sending one over the other as a security measure the fact that a sessionId is made to expire eventually, thus only granting temporary access, whereas an attacker getting a userId means they will have constant access to your data as long as your userId remains the same in the database?
Considering the fact that an attacker would simply try and grab your data as fast as they can anyway (within the time limits of a session, maybe), doesn't it only marginally help to send the sessionId instead of the UserId over cookies? Obviously session is better, but I guess what I'm saying is that isn't sending a sessionId over cookie still something that should be considered "sending sensitive data over cookies"? Because if the sessionId grants access to the DB, it's just an indirect but still very real way to access sensitive data.