I've used a "last login" datetime as the key for the AES encryption of
a random token (UUID) which is then HMAC signed before being saved as
a base-64-encoded cookie. In this way I can trivially detect
alterations to the cookie (HMAC fails), protect the content of the
cookie from disclosure (through encryption), ensure collisions won't
happen in our lifetimes (UUID), and prevent multiple sign-ons (new
sign on, the last login key value changes and decryption fails). I
can store an arbitrary amount of data this way (up to the limit for
cookie storage) as the data is stored in a simple bencoded dictionary.
Using the above method allows you to use cookies for actual storage of
session data, vs. having a session ID cookie which loads data from
memcached or database.
— Alice.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
