Thanks Ozgun, but I'm using Happstack: this will be compatible? On Wed, Feb 27, 2013 at 10:30 PM, Ozgun Ataman <ozata...@gmail.com> wrote:
> I would encourage you to take a look at the snap (the web framework) > package, where this concern is handled for you as part of the "session" > snaplet. > > The > Snap.Snaplet.Session<http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaplet-Session.html> > module > and the > Snap.Snaplet.Session.Backends.CookieSession<http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaplet-Session-Backends-CookieSession.html> > ensure > that contents of the cookie-persistent sessions are encrypted and so you > can place anything from user ids to other secret information there, > although I would certainly keep it to a minimum for size concerns. > > Here it is: http://hackage.haskell.org/package/snap > > Hope this helps, > Oz > > > On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont < > corentin.dup...@gmail.com> wrote: > >> So I need to "encrypt" the user ID in some way? What I need is to >> associate the user ID to a random number and store the association is a >> table? >> >> >> On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink <hessel...@gmail.com>wrote: >> >>> Note that cookies are not the solution here. Cookies are just as user >>> controlled as the url, just less visible. What you need is a session >>> id: a mapping from a non-consecutive, non-guessable, secret token to >>> the user id (which is sequential and thus guessable, and often exposed >>> in urls etc.). It doesn't matter if you then store it in the url or a >>> cookie. Cookies are just more convenient. >>> >>> Erik >>> >>> On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont >>> <corentin.dup...@gmail.com> wrote: >>> > Yes, having a cookie to keep track of the session if something I plan >>> to do. >>> > >>> > On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala <mats.rauh...@gmail.com> >>> > wrote: >>> >> >>> >> The user id is not necessarily the problem, but rather that you can >>> >> impose as another user. For this, one solution is to keep track of a >>> >> unique (changing) user token in the cookies and use that for verifying >>> >> the user. >>> >> >>> >> -- >>> >> Mats Rauhala >>> >> MasseR >>> >> >>> >> -----BEGIN PGP SIGNATURE----- >>> >> Version: GnuPG v1.4.10 (GNU/Linux) >>> >> >>> >> iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql >>> >> tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt >>> >> =tf0d >>> >> -----END PGP SIGNATURE----- >>> >> >>> >> >>> >> _______________________________________________ >>> >> Haskell-Cafe mailing list >>> >> Haskell-Cafe@haskell.org >>> >> http://www.haskell.org/mailman/listinfo/haskell-cafe >>> >> >>> > >>> > >>> > _______________________________________________ >>> > Haskell-Cafe mailing list >>> > Haskell-Cafe@haskell.org >>> > http://www.haskell.org/mailman/listinfo/haskell-cafe >>> > >>> >> >> >> _______________________________________________ >> Haskell-Cafe mailing list >> Haskell-Cafe@haskell.org >> http://www.haskell.org/mailman/listinfo/haskell-cafe >> >> >
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe