First, let me tell you this. Nothing is 100% secure. Nothing is air tight, and nothing is sacred. If motivated enough, an attacker will break every server-side defense you may put (unless you are using HTTPS, which is a different story).

首先，让我告诉你这一点。没有什么是 100% 安全的。没有什么是密封的，没有什么是神圣的。如果有足够的动机，攻击者将破坏您可能设置的所有服务器端防御（除非您使用 HTTPS，这是另一回事）。

You may use cookies, but cookies are highly exposed and easily modified. Never store private data, or access levels in a cookie. As it is easily stolen/modified by an attacker.

您可以使用 cookie，但 cookie 高度暴露且易于修改。切勿在 cookie 中存储私人数据或访问级别。因为它很容易被攻击者窃取/修改。

Sessions are not 100% safe either. The session ID, which the server uses to identify the client, is sent by one of 2 ways. a $_GET variable (bad), or a cookie (better, but still pretty bad). Meaning, if you are logged in as the administrator, over an unsecured WiFi, a skilled attacker (and by skilled I mean a pr0 haxx0r that downloaded a simple HTTP sniffer) can easily steal your SESSION ID. And while not getting your password, the server will wrongly identify the attacker as you, and grant him any access you may have/had.

会话也不是 100% 安全的。服务器用于识别客户端的会话 ID 通过两种方式之一发送。一个 $_GET 变量（坏），或一个 cookie（更好，但仍然很糟糕）。这意味着，如果您以管理员身份登录，通过不安全的 WiFi，熟练的攻击者（熟练的我指的是下载了简单 HTTP 嗅探器的 pr0 haxx0r）可以轻松窃取您的会话 ID。虽然没有获得您的密码，但服务器会错误地将攻击者识别为您，并授予他您可能拥有/拥有的任何访问权限。

So what to do? Sessions are on most cases safe. Advise your users to not log in under an unsecured network (buses, internet cafes, etc.). If you want to allow your user authorization to persist over time, a cookie is required. I usually use a 2 cookie system if I need that:

那么该怎么办？会话在大多数情况下都是安全的。建议您的用户不要在不安全的网络（公共汽车、网吧等）下登录。如果您想让您的用户授权随着时间的推移持续存在，则需要一个 cookie。如果需要，我通常使用 2 cookie 系统：

userid=12345
hash=password_hash($userid . $hashed_password, PASSWORD_DEFAULT)

Then I have something to match against, and the user's details weren't revealed.

然后我有一些东西可以匹配，用户的详细信息没有透露。

But like I said, in the end of the day, if you really REALLY wanted to secure your users, in above to everything else written in this answer, get yourself HTTPS.

但是就像我说的那样，归根结底，如果您真的想保护您的用户，除了此答案中写的所有其他内容之外，请让自己使用 HTTPS。

I would use a session.

我会使用会话。

To help a little on security, once a users credentials have been verified use session_regenerate_id- since the session id is what is passed across in a cookie this is important if someone is sniffing around while login in processed.

为了在安全方面提供一点帮助，一旦用户凭据得到验证，请使用session_regenerate_id- 因为会话 ID 是在 cookie 中传递的内容，如果有人在处理登录时四处嗅探，这一点很重要。

DO NOT STORE any information in the session pertaining to access credentials - a userId is often sufficient; personally I build a user object which I store in the session (these get auto serialized/unserialized between request - but you can read on that independantly).

不要在会话中存储任何与访问凭证有关的信息——一个 userId 通常就足够了；我个人构建了一个存储在会话中的用户对象（这些对象在请求之间自动序列化/反序列化 - 但您可以独立阅读）。

IF you wish to set a cookie so the user doesn't have to login on the next visit perhaps store the userId and an autogenerated token which can be checked against in the database (or similar) - I would add extras to the checking too - like storing the last ipaddress with the token to check as well, if they don't match then ask for login once more.

如果您希望设置一个 cookie，以便用户在下次访问时不必登录，也许可以存储 userId 和一个自动生成的令牌，可以在数据库（或类似的）中进行检查 - 我也会在检查中添加额外的 -就像将最后一个 ipaddress 与要检查的令牌一起存储，如果它们不匹配，则再次要求登录。

There are quite a few approaches that can be taken - I don't offer all/'the best' - get your code reviewed by people in a php community - you learn more that way.

有很多方法可以采用 - 我不提供所有/“最好的” - 让 php 社区中的人您的代码 - 您可以通过这种方式了解更多信息。

If a person has a login and password, this can be set as a cookie in their browser so they do not have to re-login to your website every time they visit. You can store almost anything in a browser cookie. The trouble is that a user can block cookies or delete them at any time. If, for example, your website's shopping cart utilized cookies, and a person had their browser set to block them, then they could not shop at your website.

如果某人有登录名和密码，则可以将其设置为浏览器中的 cookie，这样他们就不必每次访问您的网站时都重新登录。您几乎可以在浏览器 cookie 中存储任何内容。问题在于用户可以随时阻止 cookie 或删除它们。例如，如果您网站的购物车使用了 cookie，而某人的浏览器设置为阻止它们，那么他们将无法在您的网站上购物。

When you store data in cookies, you must be absolutely certain that users can't tamper with the data in any way. There's no way to keep users from altering the data in a cookie; it's absurdly easy. So, in order to ensure that your website doesn't accept cookies containing altered data, you need to either encrypt the cookie values or sign them with a hash that allows you to verify their integrity.

当您在 cookie 中存储数据时，您必须绝对确定用户无法以任何方式篡改数据。没有办法阻止用户更改 cookie 中的数据；这太容易了。因此，为了确保您的网站不接受包含更改数据的 cookie，您需要对 cookie 值进行加密或使用散列对其进行签名，以便验证其完整性。

Best practice is to use PHP sessions.

最佳实践是使用 PHP 会话。

A PHP session is maintained by having the browser return a cryptographically secure (that is, not guessable as to the next valid value) string known as the session IDeach time it makes a request during that session. The best and safest way to do that is to give the browser a session cookie, which it will then send with each request.

PHP 会话是通过让浏览器在该会话期间每次发出请求时返回一个称为会话 ID的加密安全（即不可猜测到下一个有效值）字符串来维护的。最好和最安全的方法是给浏览器一个会话 cookie，然后它会随每个请求一起发送。

The alternative method to using a session cookieis to included the PHP Session ID in the request URL itself as a GET variable. An example URL might look something like:

使用会话 cookie的另一种方法是将 PHP 会话 ID 作为 GET 变量包含在请求 URL 本身中。示例 URL 可能类似于：

https://www.example.com/mypage.php?PHPSESSID=cteekbf64igp5vdjjkktvoeb97

https://www.example.com/mypage.php?PHPSESSID=cteekbf64igp5vdjjkktvoeb97

This is not as secure as using a cookie, because the URL might accidentally get shared or stolen via other means.

这不像使用 cookie 那样安全，因为 URL 可能会意外地通过其他方式共享或被盗。

Security is many layered, like an onion (as the common example goes). The more secure you make something, the more effort it takes to make it secure, and the less convenient it is to use. It's a cost-benefit trade off. So you have to ask, how important is your data, is your user's privacy and safety, etc.

安全性是多层次的，就像洋葱一样（就像常见的例子一样）。你做的越安全，就越需要努力使其安全，使用起来也就越不方便。这是一种成本效益的权衡。所以你必须问，你的数据有多重要，你用户的隐私和安全等。

For me, a base level would be to use PHP sessions with the session ID forced to be in cookies (block users who disable cookies), SSL encryption all the time, on both data and the cookies, and make sure the various PHP settings which affect security for sessions are set to the best, most secure settings. You'll want to read everything on these pages and child pages:

对我来说，基本级别是使用会话 ID 强制在 cookie 中的 PHP 会话（阻止禁用 cookie 的用户），始终对数据和 cookie 进行 SSL 加密，并确保各种 PHP 设置影响会话的安全性被设置为最佳、最安全的设置。您需要阅读这些页面和子页面上的所有内容：

• http://php.net/manual/en/intro.session.php
• http://php.net/manual/en/session.security.php

• http://php.net/manual/en/intro.session.php
• http://php.net/manual/en/session.security.php

As @Madara said nothing is 100% secure and correct but as developer point of view I would say each and every methods of retaining user's session data has its own advantages and disadvantages for instance.

正如@Madara 所说，没有什么是 100% 安全和正确的，但从开发人员的角度来看，我会说每种保留用户会话数据的方法都有其自身的优点和缺点。

User Data in Cookies vs Session

Cookie 与会话中的用户数据

If you are keeps user's session data in cookies it will consume less server's RAM memory and processing because you don't have to keep logged user's info into RAM. also if user increases then its recommended to keep user session data in cookies rather than session because keeping in session would consume server resources and your application could be slower and non responsive sometime. where as if you are keeps user's logged in data into session It would be secure than cookies but it would consume more server resources.

如果您将用户的会话数据保存在 cookie 中，它将消耗更少的服务器 RAM 内存和处理，因为您不必将登录的用户信息保存在 RAM 中。此外，如果用户增加，则建议将用户会话数据保存在 cookie 而不是会话中，因为保持会话会消耗服务器资源，并且您的应用程序有时可能会变慢且无响应。好像您将用户的登录数据保存到会话中它比 cookie 更安全，但它会消耗更多的服务器资源。

On final note:Both the ways are correct in its own implementation also if your application is using HTTPS protocol then security shouldn't be a concern. so I would suggest use methods of retaining user's session data according to the application's and business model's requirement.

最后一点：如果您的应用程序使用 HTTPS 协议，这两种方法在其自身的实现中都是正确的，那么安全性不应该成为问题。所以我建议根据应用程序和业务模型的要求使用保留用户会话数据的方法。