Richtermeister wrote: > Correct, > > the key would be stored in the DB and be user specific. > While I agree that storing the session in the DB as well would be a > nice bit of added security, it wouldn't avoid the problem, as I would > still need to store ccs in there encrypted as well.. > Also, how does https protect session information? I'm not aware it > does that, but then again, I'm here asking questions out of ignorance > in the first place.. ;)
I would assume it would protect the session key/name since all data over the wire is encrypted, but I agree, I don't see how SSL is solving the problem you are describing. SSL encrypts data between you and the client. You want to encrypt the cc data in the session, which is stored in a file on the server, from potentially malicious users of that server. -- Nathanael d. Noblet Gnat Solutions, Inc T: 403.875.4613 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
