Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Using Cookies . Is it Safe ?  RSS feed

 
Ram Balasubramaniam
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am working on a application , in which we are storing the user information like the user name , the dept and the roles in a cookie. We are using the HTTPSessionCookie.
Now I have a serious doubt, abt how safe is it. Once I log in to my application , the information is stored on my browser cookie. Can any one hack into my m/c and take the info and use it in his machine .
I see all the cookies getting stored in a particlular location in the user profiles in WIN2K machines. All these are text files. So I was wondering if any one can hack and edit this text file or take this info.

Can some one explain about cookies in detail ...
 
Dave Vick
Ranch Hand
Posts: 3244
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ram
What is the HttpSessionCookie? Is that a class you defined? In general a coockie would be accesable to anyone who has access to the machine it is stored on. Depending on how you've implemented your app it may or may not help them. do they need to log into the app with a password? Or is all their personal info stored in the cookie?
If there is no danger or anyone doing anything malicious with the app or if there is no private data then it shouldn't matter who can see it. If there are things that shouildn't be seen or things that can be done to the app then it should have more protectionj than a cookie stored on the client. How do they get the cookie in the dirts place? Just by going to the site? OR do they log in. If they have to log then there is nothing wrong with storing some data in a cookie - just dont store the password.
On the other hand if you're worried about someone else reading the data in the cookie then why not just store the data in the session?
 
Ram Balasubramaniam
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Dave,
I am using the cookie the regular way to store the information of the user who logs in and his department.
Since this an application with different users having restricted access, we are using
ACL ( Access control lists ) to grant the access. Based on the dept the user is , we grant the permission. We are storing this user information in the cookie.We are not storing any passwords.
My question is , if a user logs in ( a cookie is created on his machine for the application).Once he logs out can some one break into the machine copy the contents of the cookie and use it in his cookie.
When the user logs out of the system will the cookie also gets destroyed ( if I have not used the setMaxAge() method in my code?
Where does Tomcat write the the cookie info on the client browser?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!