Cookie vs storing user data in Database

Question

Hello,

I feel sorry, if this post isn't related here. If you feel this post is useless act according to your wish

My question is why don't we save the visitors(subscribers) cookie information in DB rather than setting a file on user's machine.Yeah, I know I might sound silly for following reasons

1) Maintaining DB for every single user for every small chunks of data

2) It might be difficult to retrieve data, when database server is down

2) Continuous Requests are to be made to web server for each and every small info..

My point is, If we are going to store the user's data in DB rather than file on clients machine,

we can Provide security to the client by not making other organization (or) other sites (or even hackers) access the user's info from the cookies.

More over we can track the user activities or behaviour ( I mean, we actually don't know what the user is doing [client side activity] like data Tampering )

If you feel that it might be difficult to send requests to web server continuously, Thanks to Ajax , It gives some support to my question, Sending requests to web server made so simple using Ajax

So, Is it good Idea to store the user's sensitive information in DataBase rather than setting a small File on user's machine ??

Thanks you !!

PS : Here I want to be specific, I'm not talking about session !

Answer 1

Sensitive information shouldn't be in a cookie, I'll agree with you there. It should be stored somewhere server-side, either in a flat file on the server itself, or in a database.

What you do need on the client machine is one small cookie containing some obscure, hard-to-guess reference to this sensitive data.

Congratulations! You've just reinvented sessions!

(Webservers can be set up to store session data in a database instead of in flat files on the server if you prefer it that way.)

Answer 2

Generally we use cookies because we're not necessarily setting any sensitive data in them. If your application does has sensitive data that you don't want anybody fiddling with then by all means use every server-side and DB tool at your disposal to solve that, but not all applications and implementations need that level of security in these respects. Setting cookies is for convenience, that's all.

Answer 3

Your approach is definitely valid but has one fundamental problem (which is probably the reason for why cookies were created in the first place): identification.

How can you identify user A vs. user B without asking for a username/password? Cookies provide an easy way to make this differentiation. Once the user is identified, your points become completely valid.

Generally, sensitive information is not meant to be stored in cookies. Such information is best stored on the server side (as you indicated).

Answer 4

This is done already, or we'd be storing user names, addresses, and credit card information in a cookie rather than on the database. You have to evaluate what makes sense to keep in the database vs. what makes sense to store as a cookie. Server performance, bandwidth, scalability - all of these have to be kept in mind. Remember that the more we store server side, the more we'll have to deliver client-side.

You also mention sessions - sessions are cookies.