If you want to keep things secure, just keep you sensitive data encrypted and use a function to encrypt/decrypt them for you. Make sure you store your decryption password as a property of some object that prying eyes would never know what the purpose of it is. I use a session password that is based on the current date and time the user accesses or logs onto the system. So their sensitive progress information is pulled from a database and kept encrypted on the client machine using pgStringEncrypt() using AES encryption and the password depends on the date and time they person pulled their data from the mySQL database.
To make getting the decrypted information for use during the session, I write a function that takes a parameter which is the actual data that is needed. The return value to the decrypted information which is only used temporarily. For example, a student's encrypted score in a quiz could be quickly decrypted and updated, then sent back to the database and re-encrypted. The storage location could be browser cookies, but I prefer to use the browser storage object to store the data and then destroy it when the session is over. The PowerPac cookie functions can use the browser storage object by simply indicated that location as a parameter of the function(s). The advantage of the browser storage object is that you can store complex variable (like arrays, etc.) and there is no realistic limit to data size like there is with file cookies.
You could include this basic function for processing sensitive data. It could be written in an XML file and associated with an object, or it could be added as part of a JavaScript function. The former method is a little more secure because it is hard to trace what the method is even for.
function myStudentData( name, data, pwd, updateWeb ) {
/* GET SET Session Data
name = data to get
data = new data to assign to [name]; automatically gets encrypted and stored or updated
pwd = string password
updateWeb = boolean true or empty to indicate the new data should be stored in database
***/
var rtn;
pwd = pwd || TBK.ssid; //stored session password (generate password on book load and store in TBK.ssid, etc.)
if (data == null) {
rtn = readCookie( name, "session");
rtn = pgStringEncrypt( true, rtn, pwd, 256);
return rtn;
} else {
data = pgStringEncrypt( false, data, pwd, 256); //Encrypt the data before storing it
createCookie( name, data, "", "session");
if (type of updateWeb == 'boolean' && updateWeb) {
//Code to upload to database using XMLHttpRequest()
}
}
}
Anyway, from here you can let your creative powers lead you into other ideas. Feel free to share them as I'm always interested in other ideas and ways of doing things.