Beware of custom cookies
Cookies are meant to store user-related data on the browser.
- safer than using cookies directly - data related to the user is placed in 'session scope'. Session scope exists on the server, not in the browser, and is a much more secure way of handling sensitive data. In addition, when implementing a session with cookies, the container will always generate cookie values that are difficult to guess, making it difficult for hackers to steal someone else's session.
- higher level of abstraction - each session is implemented using either cookies or URL rewriting, but the details are hidden from the caller.
- independence of browser settings - if the user's browser has cookies disabled, then the session can be implemented using URL rewriting, as a backup, if desired.
- it does not represent a security risk by exposing sensitive user data
- the case of disabled cookies is acceptable in some way
See Also :
Would you use this technique?