User Authentication Method?

Hi there,

Which one is better to use for user's authentication, cookies or sessions?

I just started coding a nice script for handling User's signUp and login using cookies, and I found that if the user forgot to logout and the cookie is not expired yet, any one can log to any page using the first guy userName and password in the same PC, cause I put at every page a small code to grab the userName and password from the cookie I set.

So, any idea how I can delete the cookie automaticaly when the user close the session and forgot to logout?

Well, you can do one of two things...don't set an expire time and when the use closes the browser the cookie is gone. Or, set a very small expire time (5 mins?) and refresh the cookie on every page view. This way if the user doesn't click for 5 mins, then the cookie expires and is gone.

if you want it to be really secure, store the users ip and sessonid, in a database, and check it against that

Well, I tried not to set the cookie to an expire time, I just left it blank "", then I login as any user, and the browser asked me for setting myDomain cookies, after accepting those cookies, I logged in, and I can check that the cookie was set and I can get any information I need from this cookie like userID and UserName and Password via a script I made,

then, before I closed my session, I checked my cookies folder in my PC and I couldn't find my cookie there!!! so the cookie isn't stored at all in my PC even in the session life,

CONCLUSION:
----------
SO, if I didn't set the expiry date, and the session is not closed yet, the cookie will not be stored at all on the user PC, and so, no one can edit that cookie to gain through my database,

so, I think using cookies with no expiry date is secure enough.

QUESTION:
--------
Any comments on my conclusion?

When you set a cookie with no expire time, it is a memory only cookie. It does not get saved to disk. It disappears when the browser is closed...the only security issue comes when a user does not close the browser when they are done. Then, anyone could walk up and do anything the cookie allowed...

You know, all programmers said:

"Using sessions is more secure than cookies"

and you said

"the only security issue comes when a user does not close the browser when they are done. Then, anyone could walk up and do anything the cookie allowed..."

So what is the difference if I'm using session and the user left his PC to others? It's the same as I'm using Cookies with no expiry time, and the user left his PC to others. In both cases, it's not secured!!!

Any Comments???

sessions (almoust always) are done using cookies, so everything that is unsecure regarding cookies, is alos unsecure regarding sessions.

on the other hand, with sessions, only session id is stored on the user's system, and with cookies (unless done with smth like your own session like system) store username, password or anything else to clients memory or disk, so generaly, cookies are generaly more unsecure!