On Thu, 14 Feb 2002 11:35:14 -0500
Perrin Harkins [EMAIL PROTECTED] wrote:
It's really a good idea to do this even when the cookie is nothing but a
session ID. A standard module for this like the one Jay mentioned would
definitely be nice.
Apache::Cookie::Encrypted seems to be the one.
://www.infonium.com/perl/ for a link to Apache::Tie::Cookie.
Featuring tied interface and lazy (demand) loading of cookie data.
Jay
- Original Message -
From: Jeffrey W. Baker [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, February 13, 2002 3:00 PM
Subject: Cookie as session store
On Thu, 2002-02-14 at 06:17, Jay Lawrence wrote:
Jeffrey - interesting point!
What did you have in mind to encrypt the cookie data? Perhaps you could use
Storable to serialize data structure then convert, crypt to scramble and
then MIME64 to text encode?
I am not encrypting the session
When the cookie is recovered, I simply decode, uncompress, thaw, check
the digest, and thaw the inner object.
It's really a good idea to do this even when the cookie is nothing but a
session ID. A standard module for this like the one Jay mentioned would
definitely be nice.
My strategy for
Perrin Harkins wrote:
When the cookie is recovered, I simply decode, uncompress, thaw, check
the digest, and thaw the inner object.
It's really a good idea to do this even when the cookie is nothing but a
session ID. A standard module for this like the one Jay mentioned would
definitely be
I dunno... That sounds lie a LOT of overhead for just a session ID
that's gonna result in server lookups too...
It's really not. It adds a negligeble amount of time to the request. As
Jeffrey pointed out, the functions he's using are all in C and very fast.
Why verify session IDs? To make
I have sometimes proposed or recommended schemes of storing session
information in an HTTP cookie, encoded and protected by cryptographic
digest. I know some people on this list have implemented similar
schemes, but I have never actually had occasion to do so. Now I am
doing that, and I realize