...
A partial list of sensitive information includes user names, passwords, credit card numbers, social security numbers, and any other personally identifiable information about the user. For more details about managing passwords, see 1.13. Store passwords using a hash function. For more information about securing the memory that holds sensitive information, see 1.02. Limit the lifetime of sensitive data.
Noncompliant Code Example
In this noncompliant code example, the login servlet stores the user name and password in the cookie to identify the user for subsequent requests:
...
However, the attempt to implement the remember-me functionality is insecure because sensitive information should not be stored at client-side without strong encryption. This code also violates 1.13. Store passwords using a hash function.
Compliant Solution (Session)
This compliant solution implements the remember-me functionality by storing the user name and a secure random string in the cookie. It also maintains state in the session using HttpSession:
...
This solution avoids session-fixation attacks by invalidating the current session and creating a new session. It also reduces the window during which an attacker could perform a session-hijacking attack by setting the session timeout to 1.
Applicability
Violation of this rule places sensitive information within cookies, making the information vulnerable to packet sniffing or XSS attacks.
Bibliography
...