[cgiapp] enciphered-cookie-only sessions

Mark Fuller azfuller at gmail.com
Tue Mar 11 10:52:29 EDT 2008


On Mon, Mar 10, 2008 at 9:54 AM, Ricardo SIGNES
<perl.cgiapp at rjbs.manxome.org> wrote:
>
>  I think the amount of brute force required would still be pretty darn brutal.

Doesn't it depend upon the operator's choice of passphrase? And,
whether tomorrow is the day a weakness is found in the encryption
method? (In 2003 the NSA said Rijaendel could be used for classified
data. In 2006, the NSA said it couldn't.).

>  I wouldn't use this for anything like banking or credit cards, but I feel
>  pretty okay about it for things like a Rubric login.

The problem (from my perspective) is that if it's encrypted *I* have
no idea what you're trying to store on *my* computer. Nor what
encryption method you've chosen (if any at all, it could be base 64
encoding to obfuscate the data), your diligence in choosing a
passphrase.

>  Probably what I'll do in the (near) future is have an n-day log of secrets,
>  generated daily.  The cookie will then be like
>
>   { generated: yyyymmdd, cookie: ciphertext }
>
>  You'll have to crack the secret within n days, which makes it even more
>  tedious.

I was thinking more along the lines of a cracked cookie being harmful
to me, not you. :)

This just doesn't seem like a good use of a cookie to me. It could be
a good use. But, as the person upon whose computer it is being placed
(which might be a public computer, et al), I can't tell if it's a good
use because it's encrypted. A lack of transparency into what's being
placed on (hopefully) my computer doesn't seem like a good thing. It
may make the operator's processing more efficient and scalable. But,
I'm old enough to remember people making that argument for storing
private information as hidden form fields 15 years ago.

Mark


More information about the cgiapp mailing list