[Eug-lug] Re: toss cookies selectivly!!!

[larry price]

On Mon, 7 Feb 2005 21:43:24 -0800, Bob Miller <kbob at jogger-egg.com> wrote:

> A cookie should just be a nonce.  It shouldn't give the end-user any
> information and the system shouldn't rely on it having any structure.
> It should also change frequently to prevent replay attacks.

but you've set your cookies file to be read-only, 

fortunately for anything remotely important, possession of the cookie
alone should not enable you to get to the target information.

> 
> Keep the actual data on the server in an RDBMS or something.

That is the standard practice. I think I had in mind something along
the lines of a preferences file that would be sent to multiple sites
and let the host site know what the visitors preferred configuration
was.

There is also the question of data-retention and ownership,
particularly in Europe but elsewhere also, keeping a visitors
information in any format subjects you to a number of stringent
regulations as to who can access what when and how long and under what
circumstances you can keep it. letting the visitor keep it would be
one engineering solution to a bunch of legal constraints.



-- 
http://Zoneverte.org -- information explained
Do you know what your IT infrastructure does?