[Pdx-pm] saving state with CGI.pm

Austin Schutz tex at off.org
Wed Nov 5 13:08:45 CST 2003

On Thu, Nov 06, 2003 at 10:21:47AM -0800, Ovid wrote:
> --- Austin Schutz <tex at off.org> wrote:
> > 	One way to do it is to use cookies. Benefits are that you don't
> > have to save any state yourself and the user can go back to any part of the
> > form at any point in the future and still access their data. You can set
> > cookies at any part of your website and have them readable everywhere, sort
> > of like global variables.
> Er, sorry, but I have to say that this is a terrible idea.
>   http://use.perl.org/~Ovid/journal/15165
>     (my credit card number and pin was stored in a cookie)
>   http://use.perl.org/~Ovid/journal/13542
>     (Friendster stored password in cookie)
>   http://use.perl.org/~Ovid/journal/13471
>     (Microsoft abuses cookies and a young lady may have gotten in trouble 
>      because a cookie revealed the location of her online journal)
> You can read about those horror stories of storing user data in the cookies.

	Three points of rebuttal... err.. I guess four:

	1. If a credit card number has to be stored, I'd much rather have it
stored on my computer than on some poorly maintained webserver run
by joe shmoe on the other side of the 'Net.
	2. You shouldn't be storing credit card information anyway.
	3. Encryption works swell. Just because the data is stored on the
user's computer doesn't mean it has to be available in plaintext.

	In addition to the point that if you can't trust the other users
on an insecure operating system you shouldn't be using it anyway. In the
"young lady" story her parents could just as well have installed a keystroke
logger, etc. etc. etc.


More information about the Pdx-pm-list mailing list