On 09/18/2009 11:15 AM, James Smith wrote:
But cookies are in general not big enough to store the information that a user would store on a website!
I'm not talking about eliminating a permanent data store for your users. I'm talking about replacing the session specific things. How much session specific data do you really need to store? If it's bigger than 4K per-user than yes you can't use a single cookie. But like I said before, the situations that you really need more than that for *session specific* data are pretty rare.
and security is not just on your server (but also on the clients machine) so if the browser can read it - anyone that can compromise the browser can also read it - if it is on the server that is harder!
It's almost as if people aren't reading my other emails :) If you need to prevent tampering, use a hash. If you need to completely secure the data, encrypt it.
-- Michael Peters Plus Three, LP
