[cgiapp] enciphered-cookie-only sessions

Perrin Harkins perrin at elem.com
Tue Mar 11 09:59:46 EDT 2008


On Mon, Mar 10, 2008 at 11:43 AM, Mark Fuller <azfuller at gmail.com> wrote:
>  But that doesn't mean anything belongs in a cookie. It seems to me if
>  it can't be clear text it shouldn't be in a cookie. At least if it's
>  clear text I have the opportunity to see what's going on and make a
>  choice about whether to accept cookies from a site.

Again, have you tried turning on the "ask me" option for cookies
lately?  You'll find that many pages give you a dozen or so cookies
from various ad banners and the like.

Hardly anyone looks at cookies, and those who do will probably be
happier if they don't look like readable text.

>  I'd go further and say nothing but a session key should go in a
>  cookie. Once it turns into additional elements, opinions differ about
>  what's sensitive or not (userid?, first and last names?, mailing
>  address? date of birth? credit card number?).

Information that isn't sensitive can be made tamper-proof with an
HMAC.  Information that is sensitive can be encrypted with a strong
cipher like Blowfish.  It's not that hard.  The real issue with
cookie-storage is avoiding sending too much data back and forth.  In a
typical application, sessions contain a handful of database IDs and
uncommitted form data, so the size is reasonable.

- Perrin


More information about the cgiapp mailing list