First time here? Welcome to the site! A log of this visit has been recorded using cookies. Refresh the page to see cookies in action!
It is imperative that web developers understand the difference between information that can be safely stored in a cookie and information that must be kept server side at all times! The following list provides a few guidelines for Cookie usage:
- Under no circumstance should a user's password, credit card number, or other private information be stored in a cookie.
- Session IDs should only be stored for the duration of a user's visit to a particular site, otherwise other users of the same machine are able to return to the site and falsely identify themselves by surpassing login.
- Remembering a user's login is usually considered safe but the user should always have the option of avoiding this behavior in the event that they are working on a public machine.
- When storing encrypted information in a cookie, it is generally safer to user a 1-Way encryption technique such as MD5 because they are harder to reverse.
Some of you may be wondering how it is possible to provide users with automatic logins without breaking the above principles. One solution is to store the password in an encrypted format both in a cookie and on the server. This way the password is not visible to malicious users but the logins are still automated. Of course, malicious users using the machine will also be automatically logged in but at least the information is kept private. It is for this reason that sites require users to supply their old password before adopting a new one, thus preventing malicious users from changing another user's password to something familiar.
Last Updated: June 8th, 2005