Hi Randal, nice to see you. Your suggestion is where I am coming FROM: right now the cookie is only a key into the mysql table which holds session data.
What I want is to stop using that table altogether and let the browser hold the information, in a manner that is straightforward, flexible and secure. Igor On Fri, Sep 18, 2009 at 9:33 AM, Randal L. Schwartz <mer...@stonehenge.com>wrote: > >>>>> "Igor" == Igor Chudov <ichu...@gmail.com> writes: > > Igor> I was very excited by the suggestion to use cookies to store the > entire > Igor> session information, and to keep it safe by means of base64 encoding > and > Igor> MD5 hash with a secret salt, for storing session information securely > on > Igor> the client. > > Ahh, phase 2 of cookie awareness. When you get to phase 3, you realize > that > cookies should really just be used to distinguish one browser from another, > and hold everything server-side instead for far better security and > flexibility. (Remember, server-side could be something as simple as > DBM::Deep, which is a single-file zero-install module that gives you > arbitrary persistent Perl data structures efficiently.) > > See my (slightly aged but still valid) write-up of this at: > > http://www.stonehenge.com/merlyn/WebTechniques/col61.html > > -- > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 > <mer...@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/> > Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. > See http://methodsandmessages.vox.com/ for Smalltalk and Seaside > discussion >