Storing When building an application that uses a client-server model, storing sensitive information at client-side may result in its disclosure if an application is vulnerable to attacks that can compromise the information. For example, consider the use of a cookie for storing sensitive information such as user credentials. A cookie is set by a web server and is stored for a certain period of time on the client-side. All subsequent requests to the domain identified by the cookie are made to contain information that was saved in the cookie. If the web application is vulnerable to a cross-site scripting (XSS) vulnerability, an attacker may be able to read any unencrypted information contained in the cookie.
A partial list of sensitive information includes user names, passwords, password hashes, credit card numbers, social security numbers, and any other personally identifiable information about the user. For more details about managing passwords, see MSC66-JG. Store passwords using a hash function. For more information about securing the memory that holds sensitive information, see MSC63-JG. Limit the lifetime of sensitive data.
Noncompliant Code Example
...
However, the attempt to implement the "remember me" functionality is insecure because sensitive information should not be stored at client-side without strong encryption. . This code also violates the guideline MSC66-JG. Store passwords using a hash function.
Compliant Solution (Session)
...
This compliant solution implements the "remember me" functionality by storing the username and a secure random string in the cookie. It also maintains state in the session using HttpSession.
...