Cookies - PHP vs Javascript

With regards to security and convenience which cookies are better the PHP ones or the Javascript ones?



They are the same ones, in both cases the cookie is sent to the browser, stored there and the browser send it back to you every request until it expires or is deleted.

For that reason, you should never use cookie for security as your question implies nor for any data which you consider important to keep unaltered by the end user.

There are five things to always remember when you use cookie:
1 - you can not trust its content
2 - you can not assume it will still be there on the next request
3 - you can not trust its content
4 - you can not assume the user never visited before if it's not there
5 - you can not trust its content

If you get that, accessing cookie from php or javascript is simply a question of what's more convenient to you.


There is no such thing as a 'php' cookie or 'JavaScript' cookie.

A cookie is a cookie is a cookie. The import thing is what you store in it. So, what are you storing in them?


I'm not sure if at the time you asked the question you were aware of the fact that some browsers support an additional HTTPOnly flag for cookies. In that regard, cookies sent with PHP, that contain the HTTPOnly flag cannot be modified by client-side JavaScript code in browsers that support the feature, which strengthens the security somehow.

So, users that have a browser supporting HTTPOnly cookies, will be better protected against XSS attacks.


Well I'm not a security guru, but one thing's for sure. If you set them in JavaScript, since it's front-end, the user will see how you read and write your cookies and what you put in them, which means he has a lead. While doing this in PHP, will not show him how you're reading and writing them and what are you doing with them.


If you are talking about Session cookies, then they can be considered to be secure in comparison with normal ones.


They are exactly the same, when you call setcookie() on PHP, all it does is send a HTTP header that is interpreted by the browser to store a cookie for a given lifetime. The same happens with Javascript.


Recent Questions

Top Questions

Home Tags Terms of Service Privacy Policy DMCA Contact Us

©2020 All rights reserved.