[cgiapp] enciphered-cookie-only sessions

Mark Fuller azfuller at gmail.com
Mon Mar 10 09:27:47 EDT 2008


On Mon, Mar 10, 2008 at 6:15 AM, Michael Peters <mpeters at plusthree.com> wrote:
>
> I just use a URL encoded JSON cookie. I don't  put anything sensitive in there.

Is there a risk that this contributes to the bad reputation of
cookies? One person puts stuff in a cookie and obfuscates it
(presumably for a reason). Another encrypts it (presumably for a
reason). There's no transparency for the user who isn't even asked if
they accept this.

To me, it sounds like the kind of thing that makes people disable
cookies entirely (or, trust them too much and, before too long
someone's definition of what's "not sensitive" and "satisfactory
obfuscation" is incorrect). It seems like just storing a sessionID
avoids all that. Is making the programming less complex worth falling
into that category of cookie suspicion?

Mark


More information about the cgiapp mailing list