Section
2.2.1
Top Level
Sub Level
General
Avoid the use of cookies other than a session cookie. Application cookies are stored on the client browser, and can easily be manipulated by users. Never include sensitive content in application cookies. Ensure that cookie values are validated if they are used.
Coldfusion
Enable an option other than Registry for client variable storage. Adobe recommends adding a RDBMS as a client variable store. See TechNote 17919 for more information.
Java
The only cookie should be a session cookie that is generated by the container.