On Tue, Nov 9, 2010 at 2:10 PM, Adam Richardson <simples...@gmail.com> wrote:
>> If the cookie needs to be encrypted, why not just encrypt it and worry less
>> about the transport layer? Or just down one hash value id cookie and pull
>> back the secure data for action just on the server?
> The issue highlighted in Yannick's question wouldn't be resolved by merely
> encrypting the cookie value.
> Encrypting a cookie value protects the value encrypted, and for some
> situations this is exactly what you want. Maybe you're storing preferences
> for your app, but want to make sure they aren't tampered with, etc.
> However, encrypting a cookie that's used as an auth token won't buy you
> anything if the transport layer doesn't provide encryption. That's because
> an auth token mere presence works to sufficiently identify an authenticated
> user. I don't have to know what the value in the cookie means in any way.
> Does this help clear up your question, or did I misunderstand you, Bastien?
> Nephtali: PHP web framework that functions beautifully
Nope, makes sense, Adam.
Cat, the other other white meat
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php