[cgiapp] enciphered-cookie-only sessions
Ricardo SIGNES
perl.cgiapp at rjbs.manxome.org
Mon Mar 10 13:05:58 EDT 2008
* Mark Fuller <azfuller at gmail.com> [2008-03-10T09:27:47]
> On Mon, Mar 10, 2008 at 6:15 AM, Michael Peters <mpeters at plusthree.com> wrote:
> >
> > I just use a URL encoded JSON cookie. I don't put anything sensitive in
> > there.
>
> Is there a risk that this contributes to the bad reputation of
> cookies? One person puts stuff in a cookie and obfuscates it
> (presumably for a reason). Another encrypts it (presumably for a
> reason). There's no transparency for the user who isn't even asked if
> they accept this.
Who obfuscated? URI-encoding is just useful to make it 7-bit safe. (I think!)
It's barely obfuscatory, too, if you know the few common things that will
appear.
I don't know that cookies have a bad reputation at all! They're just
accessible to the user to view and edit, and they have a small maximum size.
Having a cookie containing "authenicated_user_name=rjbs" in the clear would be
stupid. Trying to store a complete serialized set of preferences for a complex
application would also be stupid.
> To me, it sounds like the kind of thing that makes people disable cookies
> entirely (or, trust them too much and, before too long someone's definition
> of what's "not sensitive" and "satisfactory obfuscation" is incorrect). It
> seems like just storing a sessionID avoids all that. Is making the
> programming less complex worth falling into that category of cookie
> suspicion?
What's the kind of thing? Huh? I have no idea what you're driving at.
--
rjbs
More information about the cgiapp
mailing list