Beware of custom cookies
Cookies are meant to store user-related data on the browser.
The recommended method of handling user data is not with a
Cookie,
but with an
HttpSession:
- safer than using cookies directly - data related to the user is placed in 'session scope'. Session scope
exists on the server, not in the browser, and is a much more secure way of handling sensitive data. In addition,
when implementing a session with cookies, the container will always generate cookie values
that are difficult to guess, making it difficult for hackers to steal someone else's session.
- higher level of abstraction - each session is implemented using either
cookies or URL rewriting, but the details are hidden from the caller.
- independence of browser settings - if the user's browser has cookies disabled, then
the session will be implemented using URL rewriting, as a backup, if desired.
If you decide to use a Cookie
directly, then care should be exercised that:
- it doesn't represent a security risk by exposing sensitive user data
- the case of disabled cookies is acceptable in some way
Note as well that the Open Web App Security Project says that 'Remember Me' cookies are a security risk.
See Also :