[cgiapp] enciphered-cookie-only sessions

Michael Peters mpeters at plusthree.com
Tue Mar 11 09:33:56 EDT 2008


Ricardo SIGNES wrote:

> Right... the encryption ceases to be overkill when you eliminate the
> server-side cookie and don't want someone to be able to change his username!

You could get both benefits (JS usable structure and tamper proof data) by
adding a hash key to the JSON structure. Then double check the server side data
with the hash key to make sure it wasn't tampered with.

> Yeah, that's an interesting point.  I should extend my session definition to
> have private and public data!

If you could wrap that all up into a plugin, or add it to C::A::P::Session that
would be pretty useful.

-- 
Michael Peters
Plus Three, LP



More information about the cgiapp mailing list