[cgiapp] enciphered-cookie-only sessions
Mark Fuller
azfuller at gmail.com
Tue Mar 11 11:34:22 EDT 2008
On Tue, Mar 11, 2008 at 8:19 AM, Ricardo SIGNES
<perl.cgiapp at rjbs.manxome.org> wrote:
> Is your objection just that you don't want me storing anything in your
> browser's cookie jar that isn't plaintext ...
Yes. I thought I'd said that more than once. A unfortunate perception
exists among many that cookies are bad. IMO encrypting session data
and placing it in a cookie contributes to that perception. It doesn't
mean every usage is bad. But, it can be. The problem being that it's
not transparent for the recipient to make that determination.
I agree with you that worse things could be happening on the backend
(storing credit card numbers in clear text on a loosely secured
network-accessible device).
Mark
More information about the cgiapp
mailing list