[Nitro] two way crypt function

Timothy interfecus at gmail.com
Tue Nov 13 05:29:43 EST 2007

On Sunday 11 November 2007 14:24:54 Trans wrote:
> On Nov 10, 5:23 pm, Timothy <interfe... at gmail.com> wrote:
> > HMAC is not appropriate for this! HMAC is for authentication over a
> > network, not for encryption.
> Currently authentication is all George is doing and that's what I was
> suggesting it for. Also, HMAC is a part of OpenSSL.
> I think if you go so far as to enrypt cookies, you should consider
> carefully if you should be using cookies to begin with. Also don't
> bother encrypting any cookie that doesn't really need to be. I
> couldn't care less if anyone finds out my shoe size ;)
> T.
> _______________________________________________
> Nitro-general mailing list
> Nitro-general at rubyforge.org
> http://rubyforge.org/mailman/listinfo/nitro-general

HMAC would be suitable for authentication of a message but how does adding it 
to cookies improve over using a single, random session id cookie and storing 
all sensitive data in a session store? Why would you want to authenticate 
messages to yourself when you could just keep them in your sight?

I'm aware that for some small things it could be advantageous to avoid a 
roundtrip to a database due to frequent use but it's these same, frequently 
used pieces of data that will be expensive to verify repeatedly. It is common 
to see user preferences in cookies because the user cannot do any harm by 
changing them. Such applications should assume that the user might do so. 
Anything more sensitive should be kept serverside.


More information about the Nitro-general mailing list