06-11-2010, 08:50 AM
[quote name='Rainer' date='10 June 2010 - 06:04 PM' timestamp='1276185870' post='420']
Well, a general security rule is: "What you don't have (and store) cannot be stolen (that easy)".
A good website keeps membersettings in its own DB and sets up a cookie just for
the actual session ... eventually filled with data from its own DB. Yes, it means more work
for the website (since it cannot offload this stuf to the users side in that case) ... but it is
simply more secure.
[/quote]
Cookies impose no security risk per se.
They're only risky in an internet-cafe or stolen hardware scenario where your settings get "exposed" (and in the latter case cookies are the least problem). In an internet cafe you should use e.g. the "private mode" which is available in modern browsers. In this case cookies are deleted upon exiting the browser.
Even so the PZ cookies are harmless because here at PZ the worst thing that could happen would be spamming the forum with your account. This is different on sites with an auto-login where you can loose money or expose critical data - e.g. in web-shops or banks. A decent website with critical data will, of course, only allow temp-Cookies and not the persistent ones used for forums and such.
Well, a general security rule is: "What you don't have (and store) cannot be stolen (that easy)".
A good website keeps membersettings in its own DB and sets up a cookie just for
the actual session ... eventually filled with data from its own DB. Yes, it means more work
for the website (since it cannot offload this stuf to the users side in that case) ... but it is
simply more secure.
[/quote]
Cookies impose no security risk per se.
They're only risky in an internet-cafe or stolen hardware scenario where your settings get "exposed" (and in the latter case cookies are the least problem). In an internet cafe you should use e.g. the "private mode" which is available in modern browsers. In this case cookies are deleted upon exiting the browser.
Even so the PZ cookies are harmless because here at PZ the worst thing that could happen would be spamming the forum with your account. This is different on sites with an auto-login where you can loose money or expose critical data - e.g. in web-shops or banks. A decent website with critical data will, of course, only allow temp-Cookies and not the persistent ones used for forums and such.