you're only going to compare one resulted cypher to another resulted cypher you have stored -- knowing they calculate to the same result and are the same/correct is enough to ensure people haven't just made up a cookie and you'd never reveal a cookie that would be useful.
On Feb 20, 2013, at 12:02 PM, Pascal Robert <[email protected]> wrote: > What would you use for storing details about an user in a cookie for > stateless apps (e.g., in a "keep me logged" situation)? I see two solutions: > > - Using BlowFish to encrypt the username in the cookie, and to decrypt the > value of the cookie to see who is the user; > > - Encrypting the username with BCrypt, storing the encrypted username in the > database and in the cookie, and doing a comparison. > > Opinions? The only problem I see with the first one is that if someone find > the cipher key, you're toast, but at the same time, if they find it, it's > probably because it was stored in the file system or in a SCM, so if they > found it, you will probably have other problems too. > > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list ([email protected]) > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/webobjects-dev/jtayler%40oeinc.com > > This email sent to [email protected] _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
