Best Practice for Cookies

Question

There are two approaches I've been thinking about for storing data in cookies. One way is to use one cookie for all the data and store it as a JSON string.

The other approach is to use a different cookies for each piece of data.

The negatives I see with the first approach is that it'll take up more space in the headers because of the extra JSON characters in the cookie. Also I'll have to parse and stringify the JSON which will take a little processing time. The positive is that only one cookie is being used. Are there other positives I am missing?

The negatives I see with the second approach is that there will be more cookie key value pairs used.

There are about 15-20 cookies that I will be storing. The expires date will be the same for each cookie.

From what I understand the max number of cookies per domain is around 4000. We are not close to that number yet.

Are there any issue I am overlooking? Which approach would be best?

Edit - These cookies are managed by the JavaScript.

Answer 1

If you hand out any data for storage to your users (which is what cookies do), you should encrypt the data, or at the very very least sign it.

This is needed to protect the data from tampering.

At this point, size considerations are way off (due to padding), and so is the performance overhead of parsing the JSON (encryption will cause significantly greater overhead).

---

Conclusion: store your data as JSON, (encrypt it), sign it, encode it as base64, and store it in a single cookie. Keep in mind that there is a maximum size for cookies (and it's 4K).

Reference: among numerous other frameworks and applications, this is what Rails does.

Answer 2

A best-practice for cookies is to minimize their use. For instance, limit your cookie usage to just remembering the session id, and then store your data on the server side.

In the EU, cookies are subject to legal regulations, and using cookies for almost anything but session ids require explicit client consent.