| Mike, there are two primary reasons for using a unique cookie for the identity framework. The first is that not everyone is going to have the session filter enabled. The second, and far more important reason, is that the identity cookie is signed using an SHA1 hash. This means the cookie is "pretty secure". You're unlikely to need to worry about someone spoofing an identity cookie. This means it's unlikely that someone would be able to generate a valid identity cookie. You still have to worry about someone sniffing the cookie and using it. But I have some ideas on that front too. We'll probably see them either post 0.9 or post 1.0. On 1 Dec, 2005, at 5:15 pm, Mike Orr wrote:
-- Jeff Watkins Computers, they're just a fad. |
- [TurboGears] Re: Fwd: [cherrypy-devel] Re: Sessions and cook... Jeff Watkins
- [TurboGears] Re: Fwd: [cherrypy-devel] Re: Sessions and... Mike Orr
- [TurboGears] Re: Fwd: [cherrypy-devel] Re: Sessions... Kevin Dangoor
- [TurboGears] Re: Fwd: [cherrypy-devel] Re: Sess... Mike Orr
- [TurboGears] Re: Fwd: [cherrypy-devel] Re: ... p
- [TurboGears] Re: Fwd: [cherrypy-devel]... Evan Monroig
- [TurboGears] Re: Fwd: [cherrypy-de... Jorge Godoy
- [TurboGears] Re: Fwd: [cherryp... Jeff Watkins
- [TurboGears] Re: Fwd: [cherryp... Evan Monroig
- [TurboGears] Re: Fwd: [cherrypy-de... Jeff Watkins
- [TurboGears] Re: Fwd: [cherryp... Evan Monroig
