databasesecuritycookiestampering

Is it better to store user data in a database rather than in cookies?


Why don’t we save the cookie information of website visitors (subscribers) in the database rather than setting a file on the user's machine. Yeah, I know I might sound silly for the following reasons:

  1. Maintaining database information for every single user for ever small ‘chunk’ of data is difficult.

  2. It might be difficult to retrieve data when the database server is down.

  3. Continuous requests are to be made to the web server for each and every small piece of information.

My point is, If we are going to store the user’s data in a database rather than in a file on the client’s machine, we can provide security to the client by not allowing other organizations or other sites (or even hackers) to access the user’s information from the cookies.

Moreover, we can track the user's activities or behaviour. (I mean, we actually don't know what the user is doing (client-side activity) like data-tampering.)

If you feel that it might be difficult to send requests to web server continuously, it isn’t, thanks to Ajax. This gives some support to my position: sending requests to a web server made so simple using Ajax.

So, is it a good idea to store the user’s sensitive information in a database rather than setting a small file on the user’s machine?

To be specific, I’m not talking about sessions!


Solution

  • Your approach is definitely valid but has one fundamental problem (which is probably the reason for why cookies were created in the first place): identification.

    How can you identify user A vs. user B without asking for a username/password? Cookies provide an easy way to make this differentiation. Once the user is identified, your points become completely valid.

    Generally, sensitive information is not meant to be stored in cookies. Such information is best stored on the server side (as you indicated).