[cgiapp] enciphered-cookie-only sessions
Ricardo SIGNES
perl.cgiapp at rjbs.manxome.org
Mon Mar 10 12:59:57 EDT 2008
* Michael Peters <mpeters at plusthree.com> [2008-03-10T09:15:26]
> Ricardo SIGNES wrote:
> > It's a Catalyst plugin that stores your whole session in the cookie. It's
> > stored as a base64-encoded, Rijndael-enciphered, JSON-encoded string.
>
> Krang does this as well and I've used it on lots of other projects too. But,
> I think that's a little overkill. I just use a URL encoded JSON cookie. I
> don't put anything sensitive in there. I usually use this in conjunction with
> a normal session cookie. So the sensitive stuff goes into the server side
> session and the non-sensitive stuff in the client side session.
Right... the encryption ceases to be overkill when you eliminate the
server-side cookie and don't want someone to be able to change his username!
> The nice thing about putting things into the cookie in an easy to read JSON
> format is that my client side AJAX/Javascript code can use it too. For
> instance, Krang has a user preference to determine how long you want the
> messages that slide-in to remain visible. With this stored in this JSON
> cookie we can access that from the Javascript, since that's what creates the
> slide-in messages in the first place.
Yeah, that's an interesting point. I should extend my session definition to
have private and public data!
> The reason I use 2 session cookies (one just the key to the server side
> session and the other a JSON cookie) is mainly because of (c). Cookie size is
> limited and I can't guarantee that some people's sessions won't get really
> big.
Yeah. Again, in this specific application, I know all the data that might go
into the session, and they are all small.
--
rjbs
More information about the cgiapp
mailing list