Best case: A single ID that relates to all the other information you need, which in turn is stored in a database.
There are times when it makes sense to put some other information in there, but they are rare. You always need to ask yourself why, at least five times.
SSL will protect your users from session hijacking but, even then, never store unencrypted sensitive information in a cookie. It is, essentially, stored in plain text on the harddrive.
Finally, and most importantly, protect your user against XSS and CSRF attacks.
XSS protection is generally as simple as being careful where you include Javascript from, because Javascript on another server could be changed without your knowledge, and this Javascript has access to cookie data. So if you're using Evil Corp's content-delivery network to serve your jQuery script, they can suddenly add code to send them your users' cookies. You wouldn't know; your users wouldn't know.
Either download scripts and serve them from your own server or use very well-trusted CDNs such as Google or Yahoo.
CSRF protection is usually done by having a random value in a hidden field in a form. The value is kept in the session so that when the form is resubmitted, you can verify it came from the same computer.
Most web frameworks now have very simple techniques for including that token.
Before going web or standalone, figure out your business domain.
- How often app talks to server(synchronizing user-workspace, fetch data, updating data, etc.)
- How frequently user will be accessing the app (1 or 100 times a day).
- How much time user will spend on the app (5 mins or 2 hrs).
pros and cons of making these two application...
There can be a huge list, but here are just few points for standalone:
pros:
- work-offline(big plus).
- No need to conside issues like cross-browser compatability.
- No need to get into one more JEE Layer(KISS principle)
- Simpler security model(e.g. no need to bother about xss attack, etc.).
cons:
- accessbility(have to install on seperate machines e.g. home, office).
- availability(not avilable on other devices, like tablets, smartphones).
- upgrading
Best Answer
If the internet connection is lost, it's not your application that is bad, it's the internet connection. So it's the internet connection you need to focus on. if it's critical to be connected to internet all the time, this can easily be done by having two internet connections (redundancy) at each location. (should be from different operators)
in many cases a pharmacy would also need a internet connection to be able to handle credit card purchase, so even your application is a "locally installed desktop application" they might not actually be able to do very much with it without internet a connection.