On Wed, Nov 08, 2000 at 11:14:58PM -0500, Ilia Lobsanov wrote:
> Shouldn't cookies be sent and validated with MD5 signature?
you'd need to include some sort of server-side secret too to prevent
tampering. (eg: see Digest::HMAC)
the "sparseness" of the session id's should be enough to stop
tampering as is (trying every possibility in order to hijack some
else's session is impractical). logging the failed attempts to
apache's error.log would make it fairly noticable too (embperl doesn't
currently do this).
if you're worried about sniffing session ids, replay attacks, etc then
thats a whole other kettle of fish. SSL is by far the easiest
solution for that.
--
- Gus
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
