...
A partial list of sensitive information includes user names, passwords, credit card numbers, social security numbers, and any other personally identifiable information about the user. For more details about managing passwords, see MSC66-JG. Store passwords using a hash function. For more information about securing the memory that holds sensitive information, see MSC63-JG. Limit the lifetime of sensitive data.
Noncompliant Code Example
In this noncompliant code example, the login servlet stores the user name and password in the cookie to identify the user for subsequent requests.
...
However, the attempt to implement the "remember me" functionality is insecure because sensitive information should not be stored at client-side without strong encryption. This code also violates the guideline MSC66-JG. Store passwords using a hash function.
Compliant Solution (Session)
This compliant solution implements the "remember me" functionality by storing the username and a secure random string in the cookie. It also maintains state in the session using HttpSession.
...
This solution also avoids session fixation attacks by invalidating the current session and creating a new session. It also reduces the window in which an attacker could perform a session hijacking attack by setting the session timeout to one.
Applicability
Violation of this rule places sensitive information within cookies, making the information vulnerable to packet sniffing or XSS attacks.
Related Guidelines
Bibliography
...