You probably can't use it directly but it should at least show you how we did it. In particular, the Snap.Snaplet.Session.SecureCookie module (internal, I think, so look at source) may be of interest to you as it implements the self-contained idea of encrypted cookies.
- Oz On Wednesday, February 27, 2013 at 4:43 PM, Corentin Dupont wrote: > Thanks Ozgun, > but I'm using Happstack: this will be compatible? > > On Wed, Feb 27, 2013 at 10:30 PM, Ozgun Ataman <ozata...@gmail.com > (mailto:ozata...@gmail.com)> wrote: > > I would encourage you to take a look at the snap (the web framework) > > package, where this concern is handled for you as part of the "session" > > snaplet. > > > > The Snap.Snaplet.Session > > (http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaplet-Session.html) > > module and the Snap.Snaplet.Session.Backends.CookieSession > > (http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaplet-Session-Backends-CookieSession.html) > > ensure that contents of the cookie-persistent sessions are encrypted and > > so you can place anything from user ids to other secret information there, > > although I would certainly keep it to a minimum for size concerns. > > > > Here it is: http://hackage.haskell.org/package/snap > > > > Hope this helps, > > Oz > > > > > > On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont <corentin.dup...@gmail.com > > (mailto:corentin.dup...@gmail.com)> wrote: > > > So I need to "encrypt" the user ID in some way? What I need is to > > > associate the user ID to a random number and store the association is a > > > table? > > > > > > > > > On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink <hessel...@gmail.com > > > (mailto:hessel...@gmail.com)> wrote: > > > > Note that cookies are not the solution here. Cookies are just as user > > > > controlled as the url, just less visible. What you need is a session > > > > id: a mapping from a non-consecutive, non-guessable, secret token to > > > > the user id (which is sequential and thus guessable, and often exposed > > > > in urls etc.). It doesn't matter if you then store it in the url or a > > > > cookie. Cookies are just more convenient. > > > > > > > > Erik > > > > > > > > On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont > > > > <corentin.dup...@gmail.com (mailto:corentin.dup...@gmail.com)> wrote: > > > > > Yes, having a cookie to keep track of the session if something I plan > > > > > to do. > > > > > > > > > > On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala <mats.rauh...@gmail.com > > > > > (mailto:mats.rauh...@gmail.com)> > > > > > wrote: > > > > >> > > > > >> The user id is not necessarily the problem, but rather that you can > > > > >> impose as another user. For this, one solution is to keep track of a > > > > >> unique (changing) user token in the cookies and use that for > > > > >> verifying > > > > >> the user. > > > > >> > > > > >> -- > > > > >> Mats Rauhala > > > > >> MasseR > > > > >> > > > > >> -----BEGIN PGP SIGNATURE----- > > > > >> Version: GnuPG v1.4.10 (GNU/Linux) > > > > >> > > > > >> iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql > > > > >> tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt > > > > >> =tf0d > > > > >> -----END PGP SIGNATURE----- > > > > >> > > > > >> > > > > >> _______________________________________________ > > > > >> Haskell-Cafe mailing list > > > > >> Haskell-Cafe@haskell.org (mailto:Haskell-Cafe@haskell.org) > > > > >> http://www.haskell.org/mailman/listinfo/haskell-cafe > > > > >> > > > > > > > > > > > > > > > _______________________________________________ > > > > > Haskell-Cafe mailing list > > > > > Haskell-Cafe@haskell.org (mailto:Haskell-Cafe@haskell.org) > > > > > http://www.haskell.org/mailman/listinfo/haskell-cafe > > > > > > > > > > > > > > _______________________________________________ > > > Haskell-Cafe mailing list > > > Haskell-Cafe@haskell.org (mailto:Haskell-Cafe@haskell.org) > > > http://www.haskell.org/mailman/listinfo/haskell-cafe > > > > > >
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
