On Mon, Jan 21, 2019 at 6:00 AM Adam Chlipala <[email protected]> wrote: > > On 1/21/19 2:22 AM, Simon Van Casteren wrote: > > 1. Yeah after some experimentation I understood the builtin cookie > > security mechanism is there for XSRF attacks only. That's why I made > > my own cookie forgery protection by hashing the contents of the cookie > > and always checking that digest when reading the cookie. I feel that > > that is pretty safe (and much faster than always hitting the database) > > since the only problem I can think of with that is somebody actually > > getting a hold of the cookie itself, but once that happens you're > > pretty much screwed anyway? > > You're right that this seems to be a classy use of crypto to optimize a > protocol while maintaining security!
The json combined with a signature field does seem to also be the approach used by ocap-ld in the proof/signatureValue fields, so that may be worth a look as well. https://w3c-ccg.github.io/ocap-ld/ _______________________________________________ Ur mailing list [email protected] http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
