LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Why are cookies unsuitable for storing authentication state?

Users can read and edit cookie values, so trusting an identity stored there lets them impersonate anyone.

If you stored userId=123 in a cookie, a user could:

  1. Open browser developer tools
  2. Change the cookie to userId=456
  3. Gain access as a different user

Solution: Use session variables instead. The server stores the user ID, and the client only has an opaque session ID that can't be used to guess other users' sessions.

Go deeper:

  • doc Set-Cookie attributes (MDN)HttpOnly, Secure, and SameSite: the attributes that harden the session-ID cookie against theft and CSRF.

From Quiz: WEBT / User Sessions | Updated: Jul 05, 2026