2012/6/11 Anthony <abasta...@gmail.com>: >> Does it make sense if we impose that the in cookie session can be >> enabled only on SSL session? > > > I assume the cookie is cryptographically signed so it can't be modified, so > SSL shouldn't be necessary (though could optionally be turned on for > additional protection to keep the contents private). Knowing the application and its state can someone find the key since there is a single encryption/decription key?
> >> >> Could we also leverage the browser local store as an option? > > > How would the server access the session then? encrypting its content with a once from server and sending back encrypted data in a header? > > Anthony