On Mon, Mar 10, 2008 at 11:43 AM, Mark Fuller <[EMAIL PROTECTED]> wrote: > But that doesn't mean anything belongs in a cookie. It seems to me if > it can't be clear text it shouldn't be in a cookie. At least if it's > clear text I have the opportunity to see what's going on and make a > choice about whether to accept cookies from a site.
Again, have you tried turning on the "ask me" option for cookies lately? You'll find that many pages give you a dozen or so cookies from various ad banners and the like. Hardly anyone looks at cookies, and those who do will probably be happier if they don't look like readable text. > I'd go further and say nothing but a session key should go in a > cookie. Once it turns into additional elements, opinions differ about > what's sensitive or not (userid?, first and last names?, mailing > address? date of birth? credit card number?). Information that isn't sensitive can be made tamper-proof with an HMAC. Information that is sensitive can be encrypted with a strong cipher like Blowfish. It's not that hard. The real issue with cookie-storage is avoiding sending too much data back and forth. In a typical application, sessions contain a handful of database IDs and uncommitted form data, so the size is reasonable. - Perrin ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################