> > If the cookie needs to be encrypted, why not just encrypt it and worry less > about the transport layer? Or just down one hash value id cookie and pull > back the secure data for action just on the server? > > Bastien
The issue highlighted in Yannick's question wouldn't be resolved by merely encrypting the cookie value. Encrypting a cookie value protects the value encrypted, and for some situations this is exactly what you want. Maybe you're storing preferences for your app, but want to make sure they aren't tampered with, etc. However, encrypting a cookie that's used as an auth token won't buy you anything if the transport layer doesn't provide encryption. That's because an auth token mere presence works to sufficiently identify an authenticated user. I don't have to know what the value in the cookie means in any way. Does this help clear up your question, or did I misunderstand you, Bastien? Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
