Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best Practice for Cookies

Tags:

cookies

There are two approaches I've been thinking about for storing data in cookies. One way is to use one cookie for all the data and store it as a JSON string.

The other approach is to use a different cookies for each piece of data.

The negatives I see with the first approach is that it'll take up more space in the headers because of the extra JSON characters in the cookie. Also I'll have to parse and stringify the JSON which will take a little processing time. The positive is that only one cookie is being used. Are there other positives I am missing?

The negatives I see with the second approach is that there will be more cookie key value pairs used.

There are about 15-20 cookies that I will be storing. The expires date will be the same for each cookie.

From what I understand the max number of cookies per domain is around 4000. We are not close to that number yet.

Are there any issue I am overlooking? Which approach would be best?

Edit - These cookies are managed by the JavaScript.

like image 681
sissonb Avatar asked Aug 23 '13 21:08

sissonb


People also ask

Which of the following is the best practice when dealing with cookies?

Set expiration dates on cookies to the shortest practical time. Avoid using permanent cookies. Consider encrypting information in cookies. Consider setting the Secure and HttpOnly properties on the cookie to true.

What needs to be in a cookie policy?

The basic rule is that you must: tell people the cookies are there; explain what the cookies are doing and why; and. get the person's consent to store a cookie on their device.

Do I need a reject button on my cookie banner?

However, it must be noted that the ICO does not explicitly require “reject all” buttons. Therefore, as long as the available choices are all equally conspicuous, an alternative between “accept all” and “customize” seems to be fine, as long as by choosing the latter, no consent is implied.


2 Answers

If you hand out any data for storage to your users (which is what cookies do), you should encrypt the data, or at the very very least sign it.

This is needed to protect the data from tampering.

At this point, size considerations are way off (due to padding), and so is the performance overhead of parsing the JSON (encryption will cause significantly greater overhead).


Conclusion: store your data as JSON, (encrypt it), sign it, encode it as base64, and store it in a single cookie. Keep in mind that there is a maximum size for cookies (and it's 4K).

Reference: among numerous other frameworks and applications, this is what Rails does.

like image 151
Thomas Orozco Avatar answered Sep 20 '22 19:09

Thomas Orozco


A best-practice for cookies is to minimize their use. For instance, limit your cookie usage to just remembering the session id, and then store your data on the server side.

In the EU, cookies are subject to legal regulations, and using cookies for almost anything but session ids require explicit client consent.

like image 39
Robert Jørgensgaard Engdahl Avatar answered Sep 20 '22 19:09

Robert Jørgensgaard Engdahl