I'm wondering, are there any guidelines or best practices on when to use sessions and cookies? What should and what should'nt be stored in them? Thanks!
+1
A:
Only data that identify the session and non-security-sensitive user preferences.
A primary rule of writing secure apps is that a hostile party can easily modify data before returning it to you. Therefore you should not assume that any values submitted from a client are safe to use without validation. A standard technique is to hold data on the server and only exchange a key, constructed in a way that you can check for modification. (I.e. don't use the user ID or account number, as a hostile client could systematically manipulate such a value to try to retrieve data from other users or sessions.)
joel.neely
2009-12-06 13:42:47
+2
A:
These documents are a good read on security problems with session cookies, and how to get around them.
In summary, you keep a secret key on the server. With this key you can calculate a secure hash over the secret key, a time stamp, and any data you want in the cookie. You include the secure hash, the time stamp and the data in the cookie.
When you receive a request you can validate that you get the signature expected. So nobody have tampered with the cookie contents.
Christian
2009-12-06 13:57:09