- Always have the domain of the cookie be "pch.net" so no other site may read it or detect it's existence.
- Are always sent to the browser over HTTPS.
- Always have the "secure" flag set so that the cookie is always sent back to our servers over HTTPS.
- Never hold anything more than a unique ID. We never put any user data in a cookie.
These are the specific cookies we use with the following uses and durations:
- Session - This cookie sets no expiration date, so it expires when you close your browser. We use it during our registration process. All uses get this cookie as soon as they visit any page on our site, even if they are not registering. (Full name: PHPSESSID)
- Login - This cookie is used to denote a user is logged in. It lasts for 24 hours. Only users who have signed up and are actively logged in get this cookie. (Full name: PCHSession-www)
- Nonce - This cookie is used to protect our users from Cross-Site Request Forgery (CSRF) on forms on our site. It does this by setting a cookie with a unique ID called a nonce. This ID is also submitted in the form. If the cookie nonce does not match the form nonce, or either is missing, the form submission is considered invalid. Only users who submit a form will get these cookies. They are sent per form and valid for 5 minutes. (Full name varies, but will be like: pch_nonce3f10636e6057f9c6f9a019 )