On Mon, Mar 10, 2008 at 8:28 AM, Perrin Harkins [EMAIL PROTECTED] wrote:
Have you tried browsing the web without cookies recently? It doesn't
work at all on a large number of popular sites. For better or worse,
cookies are a part of the deal now.
But that doesn't mean anything belongs in
* Mark Fuller [EMAIL PROTECTED] [2008-03-10T09:06:30]
On Mon, Mar 10, 2008 at 3:56 AM, Ricardo SIGNES
[EMAIL PROTECTED] wrote:
stores your whole session in the cookie. It's stored as a base64-encoded,
Rijndael-enciphered, JSON-encoded string. This seemed like a swell idea
for me,
I
* Michael Peters [EMAIL PROTECTED] [2008-03-10T09:15:26]
Ricardo SIGNES wrote:
It's a Catalyst plugin that stores your whole session in the cookie. It's
stored as a base64-encoded, Rijndael-enciphered, JSON-encoded string.
Krang does this as well and I've used it on lots of other
* Mark Fuller [EMAIL PROTECTED] [2008-03-10T09:27:47]
On Mon, Mar 10, 2008 at 6:15 AM, Michael Peters [EMAIL PROTECTED] wrote:
I just use a URL encoded JSON cookie. I don't put anything sensitive in
there.
Is there a risk that this contributes to the bad reputation of
cookies? One
On Mon, Mar 10, 2008 at 11:43 AM, Mark Fuller [EMAIL PROTECTED] wrote:
But that doesn't mean anything belongs in a cookie. It seems to me if
it can't be clear text it shouldn't be in a cookie. At least if it's
clear text I have the opportunity to see what's going on and make a
choice about
On Mon, Mar 10, 2008 at 11:46 AM, Mark Fuller [EMAIL PROTECTED] wrote:
BTW: I didn't understand the part in the Catalyst documentation saying
the benefit of sending the session in the cookie is that you don't
have to access the disk. I assume that's supposed to be a performance
benefit.
* Mark Fuller [EMAIL PROTECTED] [2008-03-11T10:52:29]
On Mon, Mar 10, 2008 at 9:54 AM, Ricardo SIGNES
I wouldn't use this for anything like banking or credit cards, but I feel
pretty okay about it for things like a Rubric login.
The problem (from my perspective) is that if it's encrypted
Ricardo SIGNES wrote:
Is your objection just that you don't want me storing anything in your
browser's cookie jar that isn't plaintext or a serial number?
Also, I'd like to make that point that a good unique session id (like one
generated form mod_unique_id) will be indistinguishable from some
On Tue, Mar 11, 2008 at 8:19 AM, Ricardo SIGNES
[EMAIL PROTECTED] wrote:
Is your objection just that you don't want me storing anything in your
browser's cookie jar that isn't plaintext ...
Yes. I thought I'd said that more than once. A unfortunate perception
exists among many that cookies
On Mon, Mar 10, 2008 at 3:56 AM, Ricardo SIGNES
[EMAIL PROTECTED] wrote:
stores your whole session in the cookie. It's stored as a base64-encoded,
Rijndael-enciphered, JSON-encoded string. This seemed like a swell idea for
me,
I hear a lot about brute-force attacks on encryption. Also,
This probably goes without saying, but I would add that this approach
isn't for every application. For example, we have an e-commerce
application that has our user leaving our site to complete a credit card
transaction and then comes back to our site to complete the order with
the session id.
On Mon, Mar 10, 2008 at 6:15 AM, Michael Peters [EMAIL PROTECTED] wrote:
I just use a URL encoded JSON cookie. I don't put anything sensitive in
there.
Is there a risk that this contributes to the bad reputation of
cookies? One person puts stuff in a cookie and obfuscates it
(presumably for
On Mon, Mar 10, 2008 at 9:27 AM, Mark Fuller [EMAIL PROTECTED] wrote:
To me, it sounds like the kind of thing that makes people disable
cookies entirely
Have you tried browsing the web without cookies recently? It doesn't
work at all on a large number of popular sites. For better or worse,
13 matches
Mail list logo