Should I be concerned if I am using the default cookie-based session
storage for a high security application? Nothing sensitive will be
stored on the cookie, but it’s critical that one user cannot gain
access to another user’s account. The security risks I see with
cookie-based storage are:
There is a single point of failure. If the secret key is stolen
(for example, by a rogue developer), the person in possession of the
key can log into any account he wishes.
It’s not been as widely used as database-backed session, and
therefore not as tested.
The cryptographic algorithm could be compromised, which is always a
possibility (however unlikely.)
What do you think?