Quiz Entry - updated: 2026.07.05
Why are cookies unsuitable for storing authentication state?
Users can read and edit cookie values, so trusting an identity stored there lets them impersonate anyone.
If you stored userId=123 in a cookie, a user could:
- Open browser developer tools
- Change the cookie to
userId=456 - Gain access as a different user
Solution: Use session variables instead. The server stores the user ID, and the client only has an opaque session ID that can't be used to guess other users' sessions.
Go deeper:
Set-Cookie attributes (MDN) —
HttpOnly,Secure, andSameSite: the attributes that harden the session-ID cookie against theft and CSRF.