This course will be retired on June 1, 2025.
Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
Cookies vs Sessions is an ongoing debate. We will explain what the difference is between the two and when you would use one over the other.
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up
There's been an ongoing debate
with where you should store
0:00
authenticated user information.
0:03
The debate is should you store your
details in cookies or sessions?
0:05
Although there is no 100% correct
answer for this debate, I'm going to go
0:10
over the differences between both, with
the positives and negatives of each one.
0:15
A lot of people will argue that
using sessions is the correct way
0:21
of storing information about the user.
0:24
The reason I get from a lot of people
when asking this is that it's easy.
0:27
Although this argument is true,
it is also easy for
0:31
a hacker to gain access to the same
session for cross-site scripting attacks.
0:34
Sessions are prone to cross-site scripting
because the sessions are accessible
0:40
via JavaScript, and there is no good
way to keep that from happening.
0:44
Typically, when people go to prevent
cross-site scripting on their site,
0:49
they will just encode and, or
escape all untrusted information.
0:53
This kind of thing had worked in the past,
but now, with package managers,
0:58
you're pulling in JavaScript
packages to include other scripts,
1:03
such as Google Analytics and Analysis.
1:06
If these scripts become insecure and
compromised, anything you store inside of
1:09
sessions is accessible to these scripts,
even outside of package manager code.
1:14
If your site contains a script
that was placed maliciously,
1:20
they now have access to sessions for
everyone who visits your site.
1:24
Because of the potential
vulnerabilities of session storage,
1:29
my recommendation is to use cookies.
1:32
Cookie storage can be a little harder
to work with, but with packages,
1:35
such as the Symphony HTTP Foundation
package, which we'll be using in this
1:40
project, creating and
updating cookies is much simpler.
1:45
Cookies can have an HTTP-only
flag set on them
1:49
to make it only visible to the browser and
no scripts on the site.
1:53
One of the other nice features of cookies
is the ability to set a cookie to only be
1:58
transmitted over HTTPS,
which makes it even more secure.
2:03
The way we'll be using cookies
is to store JSON that contains
2:08
all information about the user,
allowing the cookie to be stateless.
2:12
The downside of cookies is that it is
prone to cross-site request forgery,
2:17
which allows a hacker to trick
the browser into providing the cookie
2:22
by using a form or
image that is hidden from the user.
2:26
Protecting against cross site request
forgery is about securing your forms.
2:30
The way this works is that you
store a token in your user session
2:35
that you also place in a hidden
input field on all forms.
2:39
Then, on a form submission,
you would compare the token
2:44
in the user session with the one
from the form submission.
2:48
If they match,
2:51
you can proceed with whatever else
your form is designed to handle.
2:52
Please see the notes
associated with this video
2:57
to find out what you can do to
prevent cross site request forgery.
2:59
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up