[cgiapp] enciphered-cookie-only sessions
Michael Peters
mpeters at plusthree.com
Tue Mar 11 11:22:18 EDT 2008
Ricardo SIGNES wrote:
> Is your objection just that you don't want me storing anything in your
> browser's cookie jar that isn't plaintext or a serial number?
Also, I'd like to make that point that a good unique session id (like one
generated form mod_unique_id) will be indistinguishable from some encrypted data
or some data structure. They need to be Base64 encoded (or similar) to be used
in HTTP headers anyway, so it's all plain text.
--
Michael Peters
Plus Three, LP
More information about the cgiapp
mailing list