On Thu, 14 Feb 2002 11:35:14 -0500
"Perrin Harkins" <[EMAIL PROTECTED]> wrote:
> It's really a good idea to do this even when the cookie is nothing but a
> session ID. A standard module for this like the one Jay mentioned would
> definitely be nice.
Apache::Cookie::Encrypted seems to be the on
> I dunno... That sounds lie a LOT of overhead for just a session ID
> that's gonna result in server lookups too...
It's really not. It adds a negligeble amount of time to the request. As
Jeffrey pointed out, the functions he's using are all in C and very fast.
Why verify session IDs? To make
Perrin Harkins wrote:
>>When the cookie is recovered, I simply decode, uncompress, thaw, check
>>the digest, and thaw the inner object.
>>
>
>It's really a good idea to do this even when the cookie is nothing but a
>session ID. A standard module for this like the one Jay mentioned would
>definit
> When the cookie is recovered, I simply decode, uncompress, thaw, check
> the digest, and thaw the inner object.
It's really a good idea to do this even when the cookie is nothing but a
session ID. A standard module for this like the one Jay mentioned would
definitely be nice.
> My strategy fo
On Thu, 2002-02-14 at 06:17, Jay Lawrence wrote:
> Jeffrey - interesting point!
>
> What did you have in mind to encrypt the cookie data? Perhaps you could use
> Storable to serialize data structure then convert, crypt to scramble and
> then MIME64 to text encode?
I am not encrypting the session
See: http://www.infonium.com/perl/ for a link to Apache::Tie::Cookie.
Featuring tied interface and lazy (demand) loading of cookie data.
Jay
- Original Message -
From: "Jeffrey W. Baker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 13, 2002 3:
I have sometimes proposed or recommended schemes of storing session
information in an HTTP cookie, encoded and protected by cryptographic
digest. I know some people on this list have implemented similar
schemes, but I have never actually had occasion to do so. Now I am
doing that, and I realize