Section 19.6. Persistent Data and Security


19.6. Persistent Data and Security

The documentation at the beginning of Example 19-3 highlights a security concern that you should keep in mind when using client-side persistence. Remember that any data you store resides on the user's hard disk in unencrypted form. It is therefore accessible to curious users who share access to the computer and to malicious software (such as spyware) that exists on the computer. For this reason, no form of client-side persistence should ever be used for any kind of sensitive information: passwords, financial account numbers, and so on. Remember: just because a user types something into a form field when interacting with your web site doesn't mean that he wants a copy of that value stored on disk. Consider a credit card number as an example. This is sensitive information that people keep hidden in their wallets. If you save this information using client-side persistence, it is almost as if you wrote the credit card number on a sticky note and stuck it to the user's keyboard. Because spyware is pervasive (at least on Windows platforms), it is almost as though you posted it on the Internet.

Also, bear in mind that many web users mistrust web sites that use cookies or other persistence mechanisms to do anything that resembles "tracking." Try to use the persistence mechanisms discussed in this chapter to enhance a user's experience at your site; don't use them as a data-collection mechanism.




JavaScript. The Definitive Guide
JavaScript: The Definitive Guide
ISBN: 0596101996
EAN: 2147483647
Year: 2004
Pages: 767

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net