On Monday, June 11, 2012 1:31:47 PM UTC-7, mcm wrote: > > 2012/6/11 Anthony <[email protected]>: > >> Does it make sense if we impose that the in cookie session can be > >> enabled only on SSL session? > > > > > > I assume the cookie is cryptographically signed so it can't be modified, > so > > SSL shouldn't be necessary (though could optionally be turned on for > > additional protection to keep the contents private). > Knowing the application and its state can someone find the key since > there is a single encryption/decription key? > > I don't see why someone couldn't brute force it on their system once they get a session. I suppose it would help to have the key change on a regular enough basis for this to not be a problem. Seeing as how RC-5 72 bit key still hasn't been brute forced yet ( http://stats.distributed.net/projects.php?project_id=8) and that's using 2000 computers for the past few years, they anticipate it will take them 90 years to complete the project. So, 128-bit encryption with a key generated on server start should be secure enough. By the time you break the encryption, your key will be useless.
> > > >> > >> Could we also leverage the browser local store as an option? > > > > > > How would the server access the session then? > encrypting its content with a once from server and sending back > encrypted data in a header? > > > > > Anthony > On Monday, June 11, 2012 1:31:47 PM UTC-7, mcm wrote: > > 2012/6/11 Anthony <[email protected]>: > >> Does it make sense if we impose that the in cookie session can be > >> enabled only on SSL session? > > > > > > I assume the cookie is cryptographically signed so it can't be modified, > so > > SSL shouldn't be necessary (though could optionally be turned on for > > additional protection to keep the contents private). > Knowing the application and its state can someone find the key since > there is a single encryption/decription key? > > > > >> > >> Could we also leverage the browser local store as an option? > > > > > > How would the server access the session then? > encrypting its content with a once from server and sending back > encrypted data in a header? > > > > > Anthony >
