On Sep 16, 2009, at 9:13, Brad Van Sickle wrote:
I've never seen the need to do that. In fact, I would suggest you
drop sessions altogether if you can. If you need any per-session
information then put it in a cookie. If you need this information
to be tamper-proof then you can create a hash of the cookie's data
that you store as part of the cookie. If you can reduce the # of
times that each request needs to actually hit the database you'll
have big wins.
Can I get you to explain this a little more? I don't see how this
could be used for truly secure sites because I don't quite
understand how storing a hash in a plain text cookie would be secure.
If you are just concerned about the cookie being changed; add a time
stamp and a hash to the cookie data.
There's an example on page 19 of http://develooper.com/talks/rww-mysql-2008.pdf
...
If you are concerned about the cookie being readable at all, you can
encrypt the whole thing.
Either way it's "tamper proof".
- ask
--
http://develooper.com/ - http://askask.com/
