I have a question concerning cookie storage design. I am developing a web application which should cache it’s server-fetched data to a local storage. No user credentials will be stored.
What is in the cookie:
- list of data and it’s properties
- proof for up-to-dateness
Proof for up-to-dateness will not be a hash, but most likely a timestamp of the last write to the server which is checked against the DB. This is to ensure the user gets valid info if he has used the website on another browser/computer/device and is out of sync.
The cookie should be able to handle more than one user in it and most probably some sort of encryption so other people can’t see plain-text data. Military-grade security isn’t needed here as the information here is not so important. But everything hacked in less than 30-60 minutes should be considered unsafe.
Questions:
- How to encrypt my data
- How to enable the cookie for multiple users
- How to prevent the cookie from being stolen
- What would be a good and simple way to present the option to disable cookie caching and explain to my users the risks of using caching on public computers
- Is the whole idea any good at all
- What are some potential issues I haven’t accounted for
I’ll answer #5 (which renders the rest of the questions moot).
Cookies aren’t designed for that sort of thing. They are make a round trip with every HTTP requests – including on same domain CSS, images, JS, etc.
I suggest you look at HTML 5 local storage or just sending the data down to the browser every time with a minimal key cookie.
For #3 – there isn’t a way to fool proof way prevent someone from stealing a cookie or forging a duplicate.