php using sessions or cookies for user authorization

I work for a php user authorization class and now I’m confused about sessions and cookies. I learned that wordpress doesn’t use sessions and I asked some php programmers if cookies are enough for security. Most of them said that: you have to use sessions for security, cookies can be modified.

However I use hash_hmac (md5) function with user’s ip address, password and cookie expiration date and noone can decode my encripted cookies code. Now I think cookies can be as safe as sessions. Now I’m wondering that whether using cookies is faster than sessions, or not. I did a few tests and 开发者_JS百科found that using cookies was faster than using sessions.

However, still I want to learn why wordpress doesn’t use sessions for authification process. Maybe I miss something, because many of my coder friends prefer both of them for authorization process. Would anyone let me know about this problem? Thanks.

I use hash_hmac (md5) function with user’s ip address, password and cookie expiration date and noone can decode my encripted cookies code

Are you simply signing the cookie data with an HMAC? It sounds like it. All an HMAC does is prove that a message has not been tampered with. Further, the IP address restriction is going to severely irritate users behind certain proxy servers.

Because the HMAC is just a signature, the cookie data can still be read and is entirely unencrypted, unless you have done so separately. If you have placed any data in that cookie that would permit a third party monitoring the connection access to the site as your user (such as, say, a simple un-salted hash of the user's password), then the HMAC is utterly useless.

If you want to put confidential information in a cookie, you should be using real encryption here, not just signing the data. (Read: Do both.)

If you are unable to perform actual encryption of the data, and the data is so risky that it has to be protected from prying eyes, then you shouldn't be sending it in a cookie. Or your entire site should be served over SSL. Or both.

But let's get to the meat of the issue:

If you're trying to simply identify if the current user is logged in, then sessions are a fantastic choice. It's hard to make them not work.

If you're trying to make a user login persist longer than the length of a session, then cookies are pretty much the most effective tool. However, you don't need to (read: should not) store any interesting information in the cookie. You can simply store a hash of some random data and identify it in the database as belonging to the specified user. Here is where your browser/IP restrictions can come into play. When the user isn't currently logged in, then check the cookie. If it's still valid, set their session data and regenerate the cookie with a new hash, invalidating the old one.

Be sure to set it up so the same user can be logged in to different machines without logging the others out. That's annoying as hell.

As for why Wordpress allegedly eschews sessions... well, Wordpress isn't the paragon of good design, and has made some huge compromises in the name of working pretty much anywhere. Shared hosting is hell.