> > > I assume the cookie is cryptographically signed so it can't be modified, > so > > SSL shouldn't be necessary (though could optionally be turned on for > > additional protection to keep the contents private). > Knowing the application and its state can someone find the key since > there is a single encryption/decription key?
I don't know all the details of the implementation, but I think an HMAC hash is being used, so I would think it should be secure. Also, it looks like the content itself is being encrypted as well. > >> Could we also leverage the browser local store as an option? > > > > > > How would the server access the session then? > encrypting its content with a once from server and sending back > encrypted data in a header? > But the session has to go back to the server on every request anyway, so why bother storing in local storage at all? Anthony
