...
Note that the above non compliant code example stores the user name and password within the cookie for authentication purposes. This particular code example is insecure because an attacker could possibly perform a cross-site scripting attack or sniff packets to find this information. Once the attacker finds this information, they have free reign to log in to the user's account. On the other hand, if the application only stored the user name within the cookie . If for authentication purposes, an attacker had could still use the user name of a particular individual, they could forget to forge their own cookie containing the user name and easily gain access to their account within the web application assuming that the application uses the cookie to identify a userand bypass the authentication system.
Compliant Solution
The non compliant example above can be resolved by using the HttpSession class to store user information as opposes to cookies. Since HttpSession objects are server-side, it is impossible for an attacker to gain access to the session information directly through cross-site scripting attacks. Instead, the session id of the user is stored within the cookie as opposed to any excess or sensitive information. As a result, the attacker must first gain access to the session id and only then do they have a chance of gaining access to a user's account details.
...