5

There are two approaches I've been thinking about for storing data in cookies. One way is to use one cookie for all the data and store it as a JSON string.

The other approach is to use a different cookies for each piece of data.

The negatives I see with the first approach is that it'll take up more space in the headers because of the extra JSON characters in the cookie. Also I'll have to parse and stringify the JSON which will take a little processing time. The positive is that only one cookie is being used. Are there other positives I am missing?

The negatives I see with the second approach is that there will be more cookie key value pairs used.

There are about 15-20 cookies that I will be storing. The expires date will be the same for each cookie.

From what I understand the max number of cookies per domain is around 4000. We are not close to that number yet.

Are there any issue I am overlooking? Which approach would be best?

Edit - These cookies are managed by the JavaScript.

John Saunders
  • 160,644
  • 26
  • 247
  • 397
sissonb
  • 3,730
  • 4
  • 27
  • 54
  • 1
    I would avoid cookies altogether and use local storage. Any reason why you don't want to do that? See [here](http://stackoverflow.com/questions/2010892/storing-objects-in-html5-localstorage) for an example, including how to serialize/deserialize objects. – Tim M. Aug 23 '13 at 21:37
  • @TimMedora The cookies are for sessionId's and visitorId's. There are a few analytic vendors that we use and we need to sync the IDs. – sissonb Aug 24 '13 at 00:39

3 Answers3

8

If you hand out any data for storage to your users (which is what cookies do), you should encrypt the data, or at the very very least sign it.

This is needed to protect the data from tampering.

At this point, size considerations are way off (due to padding), and so is the performance overhead of parsing the JSON (encryption will cause significantly greater overhead).

Conclusion: store your data as JSON, (encrypt it), sign it, encode it as base64, and store it in a single cookie. Keep in mind that there is a maximum size for cookies (and it's 4K).

Reference: among numerous other frameworks and applications, this is what Rails does.

Thomas Orozco
  • 53,284
  • 11
  • 113
  • 116
2

A best-practice for cookies is to minimize their use. For instance, limit your cookie usage to just remembering the session id, and then store your data on the server side.

In the EU, cookies are subject to legal regulations, and using cookies for almost anything but session ids require explicit client consent.

Robert Jørgensgaard Engdahl
  • 3,234
  • 22
  • 34
0

Good morning.

I think i understand you. At sometime ago, i use cookies stored as json data encrypted, but for intranet, or administration accounts. For users of shop, i used this same practice. Whetever, to store products on shop site, i don't use encryption.

Important: sometimes i have problems with json decode before decrypt data. Depending your use, you can adopt a system storing data separated by ; and : encrypted like:

  • encrypt_function($key, "product:K10072;qtd:1|product:1042;qtd:1|product:3790;qtd:1") to store products; and
  • encrypt_function($key, "cad_products:1;mdf_products:2;cad_collabs:0") to store security grants.

Any system can be hacked. You need to create an applycation with constant user data verification and log analyzing. This system, yes, needs to be fast.

gmc_pecas
  • 25
  • 5