[Nitro] two way crypt function

George Moschovitis george.moschovitis at gmail.com
Tue Nov 13 07:46:01 EST 2007

I think the cookie session store is a great idea because it keeps the
(small) state to the client. So i can redirect the client to different
servers in my cluster w/o worrying about synchronizing state.

btw, bills fix seems to have solved the AlteredCookie bug! :) :)


On Nov 13, 2007 2:38 PM, Trans <transfire at gmail.com> wrote:

> On Nov 13, 5:29 am, Timothy <interfe... at gmail.com> wrote:
> > HMAC would be suitable for authentication of a message but how does
> adding it
> > to cookies improve over using a single, random session id cookie and
> storing
> > all sensitive data in a session store? Why would you want to
> authenticate
> > messages to yourself when you could just keep them in your sight?
> >
> > I'm aware that for some small things it could be advantageous to avoid a
> > roundtrip to a database due to frequent use but it's these same,
> frequently
> > used pieces of data that will be expensive to verify repeatedly. It is
> common
> > to see user preferences in cookies because the user cannot do any harm
> by
> > changing them. Such applications should assume that the user might do
> so.
> > Anything more sensitive should be kept serverside.
> I agree. I don't think it wise to use a cookie for anything that needs
> to be secure, other then a session key.
> T.
> _______________________________________________
> Nitro-general mailing list
> Nitro-general at rubyforge.org
> http://rubyforge.org/mailman/listinfo/nitro-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/nitro-general/attachments/20071113/c721c387/attachment.html 

More information about the Nitro-general mailing list