I have administration part of my web site. But it will have only one user who will login in the page.My question what is more safely from attacks ? The user and password to be stored in mysql database or directly in .php file ?
If your PHP compiler stopped working for any reason, your PHP code yould be displayed as plain text, meaning that your password would be visible.
However, if you have it in a database and the compiler stops working, then the user will not see the Admin password. Although they would see the database connection information.
The best way would be in a database, and setup access hosts in your database to prevent anyone other than Localhost making a connection (Also, make sure your database user password is not the same as any other password you use, a string or random numbers/letters/symbols for example)
the best solution is session..
because after a specified time the use automatically logged out so session is best option for security.
I am going to disagree with your reasons for using sessions over cookies, although Sessions are more secure in themselves:
This can also be done with Cookies, you can set the time they expire.
I assume you meant that they expire when the browser closes, but an auto timeout is not really required in most situations so can't really be used as the main point for using sessions..
The main advantage of sessions is that the session data is stored on the server, not on the client PC (Cookies store the data on the Client).
The only thing that is stored on the client is the session ID.