Hi, I read a good suggestion:
"And DO NOT STORE THE PERSISTENT LOGIN COOKIE (TOKEN) IN YOUR DATABASE, ONLY A HASH OF IT! The login token is Password Equivalent, so if an attacker got his hands on your database, he/she could use the tokens to log in to any account, just as if they were cleartext login-password combinations. Therefore, use strong salted hashing (bcrypt / phpass) when storing persistent login tokens."
I've seen that C::P::Session::Store::File stores the token of the session on the server, and not only its hash. Is there a way to configure this plugin to store just the hash of the token on the server?
--Octavian _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://email@example.com/ Dev site: http://dev.catalyst.perl.org/