Is storing a session id in a cookie a better practice than a get var?

The title pretty much says it all. A cookie seems to have a few advantages to me; however, I'll wait to see what others say.

Also - assuming a cookie is better, what can be done to make passing the session by GET variable better?

Specifically I'm thinking about PHP; however, this should apply generally.


Cookies are the better way to go.

The downsides of having the session ID in the GET variable are

  • URLs look more ugly

  • it screws up links and bookmarking (although this is more a cosmetic problem, as an expired session will simply be deleted and a new one created)

  • it can be slightly less secure (when people share links containing the session ID, and inadvertently have their session "hijacked").

Search engines, however, will remove the session ID from indexed URLs, as long as they are named after a standard scheme (PHPSESSID, SID...) so this is not a problem.

The usual way to go here (and I think, PHP's default behaviour) is to use Cookies when possible, and to fall back to GET variables if they are disabled.

As to how to make GET variables "better" - one way to make URLs containing them a bit more pretty is to use URL rewriting, so you can have e.g. 

123456890 being the session ID.

However, note that this will lead to search engines being unable to strip out the session ID, because they have no way of telling it is one.

The security issue that a session ID could inadvertently be copy+pasted to a new user can be controlled through low session timeouts, and anti-"session hijacking" measures as shown e.g. in this question. However, the accepted answer suggests using session.use_only_cookies .....

Storing it in a cookie as opposed to in a GET var has at least one advantage, in that the session ID'd URL will never be bookmarked by any user.

Need Your Help

Stop UIView leaving container with UIPanGesture?

ios swift uiview uipangesturerecognizer

I have managed to stop my UIView going outside of the container with the pan gesture but what I am struggling to achieve is to stop it at its edges. Currently it goes right to the last pixel edge a...

ASP MVC 3 - Export to CSV method including junk characters not in database csv export-to-csv

Below is the (crude) method I'm using to export the contents of a table into a CSV. I came up with this on the fly, however the data in the table has been loaded from an Excel spreadsheet created b...

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.