On 14 Jun 2003 at 19:07, Rich Salz wrote:
> When I've done login and state management, it's all 
> maintained on the server side.  It's completely independant 
> of SSL sessions -- that's transport, has no place in 
> application -- just like it's completely independant of 
> HTTP/1.1 session management.  A logout page isn't the same as 
> "Connection: close" :)
> The only thing in the cookie is an opaque identifer.  It's 
> purely random bytes (for which OPenSSL's RANDbytes() is 
> useful),

Which is fine provided your code, rather than the framework
code provided the cookie, and provided you generated the cookie
in response to a valid login, as Ben Laurie does..   The 
framework, however, generally provides insecure cookies. 

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to