On Saturday, May 16, 2015 at 5:12:08 PM UTC-4, Laurence Rowe wrote: > > Signed cookies are usually just fine, you only need encryption if you want > to prevent the user from inspecting the content stored in their cookies. >
Encryption is also needed if you want to prevent others on the network from inspecting cookie content. I've seen a few apps where the developers stored 3rd party auth information in a cookie; while it's fine for users to access that info and for to merely be signed as "proof" it was already registered with the application, unless that content is locked to HTTPS it can be visible in network traffic. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.