> If the cookie needs to be encrypted, why not just encrypt it and worry less
> about the transport layer? Or just down one hash value id cookie and pull
> back the secure data for action just on the server?
> Bastien

The issue highlighted in Yannick's question wouldn't be resolved by merely
encrypting the cookie value.

Encrypting a cookie value protects the value encrypted, and for some
situations this is exactly what you want.  Maybe you're storing preferences
for your app, but want to make sure they aren't tampered with, etc.

However, encrypting a cookie that's used as an auth token won't buy you
anything if the transport layer doesn't provide encryption.  That's because
an auth token mere presence works to sufficiently identify an authenticated
user.  I don't have to know what the value in the cookie means in any way.

Does this help clear up your question, or did I misunderstand you, Bastien?


Nephtali:  PHP web framework that functions beautifully

Reply via email to