[cgiapp] enciphered-cookie-only sessions
Michael Peters
mpeters at plusthree.com
Tue Mar 11 09:33:56 EDT 2008
Ricardo SIGNES wrote:
> Right... the encryption ceases to be overkill when you eliminate the
> server-side cookie and don't want someone to be able to change his username!
You could get both benefits (JS usable structure and tamper proof data) by
adding a hash key to the JSON structure. Then double check the server side data
with the hash key to make sure it wasn't tampered with.
> Yeah, that's an interesting point. I should extend my session definition to
> have private and public data!
If you could wrap that all up into a plugin, or add it to C::A::P::Session that
would be pretty useful.
--
Michael Peters
Plus Three, LP
More information about the cgiapp
mailing list