From: "Chris W" <[EMAIL PROTECTED]>I am still new to web programing but I have a lot of experience in developing non web based applications. So I think I am a reasonably clever programmer and I have now done enough web programming that I understand the cookie mechanism. What I can't figure out is why so many people are paranoid about cookies. I don't really see much of anything that can be done with cookies to invade someones privacy. Am I missing something here?
Exactly. The problem isn't the mechanism, it's the implementation by the programmer. If you save my favorite color in a cookie, no big deal. If you save my username and password in a cookie, that is a big deal. Cookies are sent back and forth between the web server and client in plain text, so it can be captured.
The other thing to realize is that cookies can be changed; they come from the client. So if you set my "id" to 555 in a cookie and that determines who I am for you site, I can change the "id" to 333 and become another person. Again, it's a problem with the implementation by the program, not cookies themselves.
And don't forget the effect media hype had on their reputation. Cookies were portrayed as bad guys. As John says, they're not if they're used correctly, but it only takes one high-profile example of improper use to tarnish a reputation forever.
-- Stuart
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
