[cgiapp] enciphered-cookie-only sessions
Mark Fuller
azfuller at gmail.com
Mon Mar 10 11:43:04 EDT 2008
On Mon, Mar 10, 2008 at 8:28 AM, Perrin Harkins <perrin at elem.com> wrote:
> Have you tried browsing the web without cookies recently? It doesn't
> work at all on a large number of popular sites. For better or worse,
> cookies are a part of the deal now.
But that doesn't mean anything belongs in a cookie. It seems to me if
it can't be clear text it shouldn't be in a cookie. At least if it's
clear text I have the opportunity to see what's going on and make a
choice about whether to accept cookies from a site.
I'd go further and say nothing but a session key should go in a
cookie. Once it turns into additional elements, opinions differ about
what's sensitive or not (userid?, first and last names?, mailing
address? date of birth? credit card number?). If it's just a session
key there's not a lot to think about. If it contains more than that
there's always the risk that the cookie setter's ideas violate my
sense of privacy or security. If it's encrypted, who knows what's
going on. The fact that it warrants encryption would give me concern.
Mark
More information about the cgiapp
mailing list