On Thu, 2002-02-14 at 06:17, Jay Lawrence wrote:
> Jeffrey - interesting point!
>
> What did you have in mind to encrypt the cookie data? Perhaps you could use
> Storable to serialize data structure then convert, crypt to scramble and
> then MIME64 to text encode?
I am not encrypting the session data in this system, because the
contents are not sensitive. I base64 encode a gzipped Storable-frozen
object, which contains another Storable-frozen object and the SHA1
digest of itself.
When the cookie is recovered, I simply decode, uncompress, thaw, check
the digest, and thaw the inner object. The code is simple:
sub realize_session {
my ($foo) = @_;
my ($i, $s);
$i = thaw(uncompress(decode_base64($foo)));
if (sha1_hex($i->{content} . BIG_SECRET) eq $i->{hash}) {
$s = thaw($i->{content});
return $s;
}
return undef;
}
sub serialize_session {
my ($s) = @_;
my ($i, $frz, $foo);
$frz = nfreeze($s);
$i = {
content => $frz
, hash => sha1_hex($frz . BIG_SECRET)
};
$foo = encode_base64(compress(nfreeze($i)));
return $foo;
}
It's fortunate that all of these functions are fast. Base64, Zlib,
Storable, and SHA1 are all implemented in C.
> I agree with you on processing delays - that is probably the biggest
> drawback to needing to send cookies as part
> of response header. Using Template Toolkit a lot myself, I have to make a
> workaround to handle the cookie situation
> as well.
My strategy for document generation is to build a DOM tree and then
create the output by serializing the DOM to XML or HTML. So, it is
natural in this application to just set everything up before sending the
response. But I can imagine that if you wanted an intermediate page,
progress indications, and so forth you might have to jump through hoops.
> I've got a tied interface to Apache::Cookie's mostly completed - it would be
> easy to add the encryption that you describe above to
> them. See: http://www.infonium.com/perl/ for a link to Apache::Tie::Cookie.
> Featuring tied interface and lazy (demand) loading of cookie data.
Thanks!
-jwb
