what's the security issue about cookie ?

I heard some 'rumor' about the security problem if server uses cookie on browser. Can someone describe in some detail what can be the potential problem ? do we really need to worry about it ? I know if I use "encodeURL" then server will first try using cookies unless user blocks it, so is ther any big security risk associate with it ?


thanks.

What exactly is the rumor you heard? We cant dispell or confirm any rumor about security vulnerabilities and cookies if we dont know what rumor you are referring to1
[ July 13, 2005: Message edited by: Paul Bourdeaux ]

Perhaps you are referring to the fact that cookies travel on the unprotected internet in cleartext. In theory, an eavesdropper could hijack your session and gain access to your accounts. But that is true for the actual account information that is travelling on the internet as well. If that is a concern, you should use SSL, which will encrypt your data before sending it on the web.

Do share the other 'rumors' you may have heard

Originally posted by Paul Bourdeaux:
What exactly is the rumor you heard? We cant dispell or confirm any rumor about security vulnerabilities and cookies if we dont know what rumor you are referring to1

[ July 13, 2005: Message edited by: Paul Bourdeaux ]

actually the people who told me cookies are unsafe never told me what exactly why, they just said they heard about it...

Cookies are stored on the clients computer, and are easily accessible (and editable) by both the user and any webpages they may be visiting. For this reason, you should not store any personal data in cookies, or at least not store any data that should not be shared with others.

Session hijacking is also sometimes a concern, and if so you should use SSL as Sharad suggested.

Other than that, I am not aware of any security problems with cookies.

There are also issues involving

* cookies being written in one domain and read in another (besides other things it allows sites to track your movement)
* developers being careless about the data placed in cookies - imagine the ranch just put your user number in our cookie, you could become anyone just be editing the file. Don't laugh it happens to often.

These relate to the usage of cookies and not problems the cookies themselves, but they are security concerns anyway.

I guess I'd also add that since they are files on your harddrive and may contain sensetive information they are open for 'information harvesting' from virus and trojans.

David,
I have seen some posts edited by the author, but when I clicked on the edit icon, a msg stated that only adminstrator or moderator can perform this function. Could you explain what happens?

Originally posted by Paul Bourdeaux:
Cookies are stored on the clients computer, and are easily accessible (and editable) by both the user and any webpages they may be visiting. For this reason, you should not store any personal data in cookies, or at least not store any data that should not be shared with others.

Session hijacking is also sometimes a concern, and if so you should use SSL as Sharad suggested.

Other than that, I am not aware of any security problems with cookies.

so, for this encodeURL case, I wouldn't think cookie is a problem because server will just saves the "jsessionid" there, if you use URLRewriting, you will see this jsessionid on the URL. so, same thing to me, right ?

Originally posted by David O'Meara:
There are also issues involving

* developers being careless about the data placed in cookies - imagine the ranch just put your user number in our cookie, you could become anyone just be editing the file. Don't laugh it happens to often.

Doesn't JR store password in a cookie ?. It is not good.

JR doesn't, UBB does

so, for this encodeURL case, I wouldn't think cookie is a problem because server will just saves the "jsessionid" there, if you use URLRewriting, you will see this jsessionid on the URL. so, same thing to me, right ?

Right.

Not quite. We've been assuming 'persistent cookies', whih are the ones storred on the file system. Unless specified othewise, session cookies are usually 'in memory' only and not written to the client machine. It is, however, possible to convert a jsessionid to a persistent cookie, but you'll have to read Marty Hall's Core Java