There is a difference. If you have a uuid sessions cookie and a serverside session and an attacker hijacks the cookie, he can only get access to the account of the compromised user.
If the session is stored client side and the attackers hijacks the cookie, he can tamper with the data in the session and, depending on what the session cookie stores, may get access to more than data of the compromised user. Massimo On Jul 31, 1:58 am, Armin Ronacher <[email protected]> wrote: > Hi, > > On Jul 31, 2:38 am, Scott <[email protected]> wrote:> I do not agree with > item 1. Session data should never be stored > > client-side as it opens a rather large attack vector. > > Which attack vector exists for signed cookies with a signed timeout > compared to just session IDs in cookies? Both can be hijacked by a man > in the middle. > > Regards, > Armin
