4

I'm trying to do a simple display integration between two websites.

One on:

domain.com

and another on:

subdomain.domain.com

All I want to do is show a "Hello John, Return to Client Area" message.

I'm looking for some advice on whether you think it's acceptable to store information such as a first name and e-mail address in a cookie?

I need first name for "Hello [Name]" and email for a gravatar. I could pre md5 the gravatar, or add the gravatar url to the cookie, however its a similar premise either way.

This information will be useless, so changing it won't be able to do anything malicious.

I know i could simply create a [logged in = true] cookie that shows return to user area. However i feel the other way gives a better illustration of being logged in.

Callum
  • 131
  • 1
  • 5

1 Answers1

3

First of all, I hope by domain.com and subdomain.domain.com you do not mean you are using HTTP in which case the cookies are highly exposed and manipulated on an attacker's will. I hope also -in case you are not using HTTPS- the services of your website are not crucial (not e-commercial, for instance).

As a general good security practice, **never store private information in cookies **. If a client of your website uses his/her main email address to login then for sure they wouldn't like to see it used by a third party (spams) thanks to your website (in case you use, for example, Google AdSence). Add to this a set of common famous cookies' vulnerabilities such as cross-site cooking or simply cookie theft. An email address is important data -in my case, I wrote it encoded on my profile. I definitely advise you not to use email within cookies.

Solution:

As everything else, sessions are not safe for 100%, but still it is better to generated unique session identifier in the cookie, and store everything else on your server instead. This pretty much eliminates common threats such as cookie poisoning. And as for cookies, do not store any data in the session pertaining to access credentials (in your case, the client's email ?)