tags:

views:

51

answers:

2
Q: 

Alternative to HTTP Cookies?

They say Cookies are bad. I personally believe there should be a "smarter" way to detect the state of a user on a web app.

Say, currently this is how it works in a distributed environment where xyz.com has many pools and servers (which i know of):

  1. User logs in xyz.com
  2. The login module of xyz.com drops a cookie on client's local machine.
  3. Now, when the client goes to Feature1 of xyz.com, the feature1 pool checks for a local cookie, if he finds it and if it has not expired then Feature1 assumes that the client is good and lets him in.

So, feature1 blindly trusts the client due to the cookie dropped by login module.

But I feel a fundamental flaw here at stage 3. What if a hacker clones a cookie and tries to do something? (which is the first obvious thing a hacker will try to do, cookie sniffing)

So, is there any alternative to this? - how will web storage, flash stored objects do in future? or cookies will rule?

Not looking for an obvious answer, because there are none. I am interested in different viewpoints of approaching this probem.

Thanks

A: 

One of the Fundamental principals of REST, and I mean real REST is not to store state on the server, if there is no state on the server, then there is no need for a cookie to be used as a key to look that state up.

fuzzy lollipop  2010-07-20 05:58:37
Can you please elaborate on this, that how will this work in the scenario I described above?
zengr  2010-07-20 06:24:01
you don't need cookies to track state on the server, there is none, you pass the state to the server from the client on every request, read the link about REST it is very simple to understand
fuzzy lollipop  2010-07-20 16:25:43
A: 

Interesting link about client side storage in HTML5: http://www.webreference.com/authoring/languages/html/HTML5-Client-Side/

Sjuul Janssen  2010-07-20 05:59:36
why the down vote? is it a bad option?
zengr  2010-07-21 03:21:16
I don't understand it either. It's a useful piece on the subject. I thought it was a good alternative to cookies
Sjuul Janssen  2010-07-21 06:01:28

related questions

Storing xml data in a cookie
Best way to secure an AJAX app
Is it possible to delete subdomain cookies?
What are the possible causes of a CGI::Session::CookieStore::TamperedWithCookie exception in rails
How do I access cookies within Flash?
Cookies and subdomains
Accessing Domain Cookies within an iFrame on Internet Explorer
Web Dev - Where to store state of a shopping-cart-like object?
Can JQuery read/write cookies to a browser?
Can you reliably set or delete a cookie during the server side processing of an Ajax (XHR) call?
How can I add cookies to Seaside responses without redirecting?
passing or reading .net cookie in php page
Best way for allowing subdomain session cookies using Tomcat
Why can't I delete this cookie?!
Apache Download: Make sure that page was viewed before download
Secure session cookies in ASP.NET over HTTPS
Always including the user in the django template context
How do you set up use HttpOnly cookies in PHP
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
How do HttpOnly cookies work with AJAX requests?
What is the best way to prevent session hijacking?
Associating source and search keywords with account creation
How would you implement FORM based authentication without a backing database?
How do I stop IIS7 dropping my cookies?