On Mon, Mar 10, 2008 at 8:28 AM, Perrin Harkins <[EMAIL PROTECTED]> wrote: > Have you tried browsing the web without cookies recently? It doesn't > work at all on a large number of popular sites. For better or worse, > cookies are a part of the deal now.
But that doesn't mean anything belongs in a cookie. It seems to me if it can't be clear text it shouldn't be in a cookie. At least if it's clear text I have the opportunity to see what's going on and make a choice about whether to accept cookies from a site. I'd go further and say nothing but a session key should go in a cookie. Once it turns into additional elements, opinions differ about what's sensitive or not (userid?, first and last names?, mailing address? date of birth? credit card number?). If it's just a session key there's not a lot to think about. If it contains more than that there's always the risk that the cookie setter's ideas violate my sense of privacy or security. If it's encrypted, who knows what's going on. The fact that it warrants encryption would give me concern. Mark ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################