views:

56

answers:

2

I'm wondering, are there any guidelines or best practices on when to use sessions and cookies? What should and what should'nt be stored in them? Thanks!

+1  A: 

Only data that identify the session and non-security-sensitive user preferences.

A primary rule of writing secure apps is that a hostile party can easily modify data before returning it to you. Therefore you should not assume that any values submitted from a client are safe to use without validation. A standard technique is to hold data on the server and only exchange a key, constructed in a way that you can check for modification. (I.e. don't use the user ID or account number, as a hostile client could systematically manipulate such a value to try to retrieve data from other users or sessions.)

joel.neely
+2  A: 

These documents are a good read on security problems with session cookies, and how to get around them.

In summary, you keep a secret key on the server. With this key you can calculate a secure hash over the secret key, a time stamp, and any data you want in the cookie. You include the secure hash, the time stamp and the data in the cookie.

When you receive a request you can validate that you get the signature expected. So nobody have tampered with the cookie contents.

Christian

related questions