SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Evangelist Brandon Luhring's Avatar
    Join Date
    Apr 2002
    Location
    IN, USA
    Posts
    455
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Storing Emails in Cookies

    This seems pretty basic, but I ran a search in this forum and on Google, and couldn't find a quick answer to it.

    Is it "relatively" safe to store plain-text email addresses in your site's cookies?

    Meaning -- is there a way for mischievious site owners to look at cookies that do not belong to their site and pull a user's email address out of it?


    I ask, because a visitor who filled out a form on one of my sites called me up (irate) saying that ever since they were on my site, the've been bombarded with emails from other companies dealing in the same industry.

    ...my only other thought is that someone is monitoring packets coming off the site and snagging emails on the way to the server...

    Any thought/comments appreciated!

    Thanks,
    Brandon

  2. #2
    SitePoint Addict trogdor1024's Avatar
    Join Date
    Oct 2004
    Location
    New Jersey
    Posts
    235
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, another site owner cannot generally read the contents of a cookie that they did not place on your machine unless by way of attack, exploit, worm, or other vulnerability.

    However, as a rule it's not safe to store *any* discernable information in a cookie. I would try and find another way to code your site that doesn't require that information in a cookie.

    (Forgive me if you know this already) A cookie is a text file that is stored in a common location on someone's computer; as such, it is susceptible to compromise. Not to mention that there may be potential danger to the security of your web server (completely dependant on the soundness of your own coding practices) if the contents of that cookie file were maliciously altered.

    Now, packet sniffing is a whole different can of worms which may be the case as well. The only real easy way to deter that problem is to force an SSL connection for the parts of the site that transmit that sensitive information. This would encrypt the communication between your webserver and the client trying to access it. Whatever information was sniffed by some third-party would be encrypted. If you have SSL configured on your server you initiate the connection by prefixing the address with https:// rather than http:// (again, really forgive me if this is old news for you).

    Hope that helps.

    - Bill

  3. #3
    SitePoint Evangelist Brandon Luhring's Avatar
    Join Date
    Apr 2002
    Location
    IN, USA
    Posts
    455
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Alright, I can encrypt cookie values -- no problem. This would at least give some added protection against viruses, etc. on the user's computer. As well as some added protection in the HTTP Headers.

    However, I'm guessing that someone sniffing packets would still be able to grab the email address when the user Posts their info in the online form... Correct? That's when SSL is needed.

    I guess it's still worthwhile to encrypt the cookie.

    Thanks.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •