[Nitro] two way crypt function
george.moschovitis at gmail.com
Tue Nov 13 07:46:01 EST 2007
I think the cookie session store is a great idea because it keeps the
(small) state to the client. So i can redirect the client to different
servers in my cluster w/o worrying about synchronizing state.
btw, bills fix seems to have solved the AlteredCookie bug! :) :)
On Nov 13, 2007 2:38 PM, Trans <transfire at gmail.com> wrote:
> On Nov 13, 5:29 am, Timothy <interfe... at gmail.com> wrote:
> > HMAC would be suitable for authentication of a message but how does
> adding it
> > to cookies improve over using a single, random session id cookie and
> > all sensitive data in a session store? Why would you want to
> > messages to yourself when you could just keep them in your sight?
> > I'm aware that for some small things it could be advantageous to avoid a
> > roundtrip to a database due to frequent use but it's these same,
> > used pieces of data that will be expensive to verify repeatedly. It is
> > to see user preferences in cookies because the user cannot do any harm
> > changing them. Such applications should assume that the user might do
> > Anything more sensitive should be kept serverside.
> I agree. I don't think it wise to use a cookie for anything that needs
> to be secure, other then a session key.
> Nitro-general mailing list
> Nitro-general at rubyforge.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Nitro-general