Is it safe to store user object in a cookie?

I have a user object which contains information about the user (username, ip, country, name, email... but NOT password). Should I store just the username in the cookie and then retrieve all info from DB upon loading the page, or just store the开发者_开发技巧 entire User object in the cookie?

You can't trust any information stored in a cookie, as the user can manipulate it at his/her leisure.

I suggest using a PHP session to store the object. That way, the end user only has a session ID stored in a cookie, with the real data on your server.

The session will eventually time out, though... forcing the user to log in again.

Edit: Whoops, I should point out that sessions are really easy to use. Just do the following:

session_start(); // This MUST be at the very top of every page that accesses the session

// Store something in the session with the key 'something'
$_SESSION['something'] = "Hi, I'm a session!"; 

// Retrieve 'something' from the session
$myString = $_SESSION['something'];

The standard rule of 'never trust posted data' applies to cookies too. I suggest storing just the user ID as well as a hash of the ID and some secret known only to the server.

For that case, I'd say store the user-id in the cookie and that's it. Then, upon first load of the page you load everything you need from the database and go on using a session as long as the user stays on your page.

To test if the page is loaded the first time, I just set a bool in the session if it has been loaded. If the bool doesn't exist, your user loads it initially.

There are probably better ways of doing this, but it works nice and easy. :)

Only store a session id! Never meaningful data such as user id. Imagine that you have a site with 10,000 users. Chances are that you have at least one user called superman and batman - if yous tore a username in a cookie to access your session information - it is potentially feasible for me to manipulate that cookie to change stored info from my username to batman and gain access to batman's account if his session is still alive. If you store some sort of randomly generated session id - it's pretty much impossible for me to figure out a session number that would work for another user to hijack that session.

You can trust information in the cookie if you use something like Hmac. Users could still see the data, but you would know if they had tampered with it (for example, changing their username to someone's else's in an attempt to see another user's data). If you don't want them to see the data, you could also symettrically encrypt the data you're sending. Obviously there's a CPU overhead to all of this, and a bandwidth overhead the more stuff you cram in there, but it's entirely legitimate to do what you're asking.

You can't assume the username being passed from a cookie is the actual username you wrote to the cookie. That is why they suggested using the sessionID. Using the sessionID you can go get the username and like he said is only good for 20 minutes or whatever you set your session timeout to be. SessionID doesn't reveal any private data. I had your same thought before I found this post though.