SitePoint Sponsor |
|
User Tag List
Results 1 to 3 of 3
Thread: Storing Emails in Cookies
-
Jan 19, 2005, 18:23 #1
- Join Date
- Apr 2002
- Location
- IN, USA
- Posts
- 455
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Storing Emails in Cookies
This seems pretty basic, but I ran a search in this forum and on Google, and couldn't find a quick answer to it.
Is it "relatively" safe to store plain-text email addresses in your site's cookies?
Meaning -- is there a way for mischievious site owners to look at cookies that do not belong to their site and pull a user's email address out of it?
I ask, because a visitor who filled out a form on one of my sites called me up (irate) saying that ever since they were on my site, the've been bombarded with emails from other companies dealing in the same industry.
...my only other thought is that someone is monitoring packets coming off the site and snagging emails on the way to the server...
Any thought/comments appreciated!
Thanks,
Brandon
-
Jan 19, 2005, 22:47 #2
- Join Date
- Oct 2004
- Location
- New Jersey
- Posts
- 235
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
No, another site owner cannot generally read the contents of a cookie that they did not place on your machine unless by way of attack, exploit, worm, or other vulnerability.
However, as a rule it's not safe to store *any* discernable information in a cookie. I would try and find another way to code your site that doesn't require that information in a cookie.
(Forgive me if you know this already) A cookie is a text file that is stored in a common location on someone's computer; as such, it is susceptible to compromise. Not to mention that there may be potential danger to the security of your web server (completely dependant on the soundness of your own coding practices) if the contents of that cookie file were maliciously altered.
Now, packet sniffing is a whole different can of worms which may be the case as well. The only real easy way to deter that problem is to force an SSL connection for the parts of the site that transmit that sensitive information. This would encrypt the communication between your webserver and the client trying to access it. Whatever information was sniffed by some third-party would be encrypted. If you have SSL configured on your server you initiate the connection by prefixing the address with https:// rather than http:// (again, really forgive me if this is old news for you).
Hope that helps.
- Bill
-
Jan 20, 2005, 10:44 #3
- Join Date
- Apr 2002
- Location
- IN, USA
- Posts
- 455
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Alright, I can encrypt cookie values -- no problem. This would at least give some added protection against viruses, etc. on the user's computer. As well as some added protection in the HTTP Headers.
However, I'm guessing that someone sniffing packets would still be able to grab the email address when the user Posts their info in the online form... Correct? That's when SSL is needed.
I guess it's still worthwhile to encrypt the cookie.
Thanks.
Bookmarks