* Mark Fuller <[EMAIL PROTECTED]> [2008-03-10T09:06:30] > On Mon, Mar 10, 2008 at 3:56 AM, Ricardo SIGNES > <[EMAIL PROTECTED]> wrote: > > stores your whole session in the cookie. It's stored as a base64-encoded, > > Rijndael-enciphered, JSON-encoded string. This seemed like a swell idea > > for me, > > I hear a lot about brute-force attacks on encryption. Also, that what > seemed like a terrific amount of brute force 5-10 years ago isn't > today. Is that a concern (if someone steals cookies)?
I think the amount of brute force required would still be pretty darn brutal. I wouldn't use this for anything like banking or credit cards, but I feel pretty okay about it for things like a Rubric login. Probably what I'll do in the (near) future is have an n-day log of secrets, generated daily. The cookie will then be like { generated: yyyymmdd, cookie: ciphertext } You'll have to crack the secret within n days, which makes it even more tedious. Anyway, like I said, and like others say, this isn't for everyone or everything. -- rjbs ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################