[Nitro] two way crypt function
transfire at gmail.com
Tue Nov 13 07:38:30 EST 2007
On Nov 13, 5:29 am, Timothy <interfe... at gmail.com> wrote:
> HMAC would be suitable for authentication of a message but how does adding it
> to cookies improve over using a single, random session id cookie and storing
> all sensitive data in a session store? Why would you want to authenticate
> messages to yourself when you could just keep them in your sight?
> I'm aware that for some small things it could be advantageous to avoid a
> roundtrip to a database due to frequent use but it's these same, frequently
> used pieces of data that will be expensive to verify repeatedly. It is common
> to see user preferences in cookies because the user cannot do any harm by
> changing them. Such applications should assume that the user might do so.
> Anything more sensitive should be kept serverside.
I agree. I don't think it wise to use a cookie for anything that needs
to be secure, other then a session key.
More information about the Nitro-general