[cgiapp] enciphered-cookie-only sessions
Ricardo SIGNES
perl.cgiapp at rjbs.manxome.org
Mon Mar 10 12:54:03 EDT 2008
* Mark Fuller <azfuller at gmail.com> [2008-03-10T09:06:30]
> On Mon, Mar 10, 2008 at 3:56 AM, Ricardo SIGNES
> <perl.cgiapp at rjbs.manxome.org> wrote:
> > stores your whole session in the cookie. It's stored as a base64-encoded,
> > Rijndael-enciphered, JSON-encoded string. This seemed like a swell idea
> > for me,
>
> I hear a lot about brute-force attacks on encryption. Also, that what
> seemed like a terrific amount of brute force 5-10 years ago isn't
> today. Is that a concern (if someone steals cookies)?
I think the amount of brute force required would still be pretty darn brutal.
I wouldn't use this for anything like banking or credit cards, but I feel
pretty okay about it for things like a Rubric login.
Probably what I'll do in the (near) future is have an n-day log of secrets,
generated daily. The cookie will then be like
{ generated: yyyymmdd, cookie: ciphertext }
You'll have to crack the secret within n days, which makes it even more
tedious.
Anyway, like I said, and like others say, this isn't for everyone or
everything.
--
rjbs
More information about the cgiapp
mailing list