httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Schrenk <>
Subject Lightweight encryption code?
Date Mon, 04 Nov 1996 06:05:26 GMT

Pardon me for this slightly off-topic message, but I thought this might 
be of some interest to other developers.

I'm writing a module that uses cookies to keep state, and it would make my
life much easier if I were to be able to keep certain information in a
cookie that I could be reasonably confident was actually set by my
application.  For example, the application stores user preferences on the
server, and a cookie is set containing the user's login, and the module
looks at the cookie and fetches the user's preferences and then builds
them customized content.

There are a number of reasons why storing all the information in cookies
is not possible for this system, and forcing the user to log in every time
they visit the site is inconvenient. The user's preferences information is
not particularly sensitive data, but it would be nice to prevent a user
from submitting a cookie with someone else's userid and seeing their
preferences.  All information in this system that is more sensitive, such
as the application which allows the user to modify their preferences,
requires the user to login but other areas that serve customized content are 
unauthenticated for convenience. 

What I decided to do was to encrypt the data in the cookie, and I have
that working right now using the publicly available cryptlib library, but
the library is large (~300K on my system) and linking it into an Apache
module increases RAM usage on the system quite a bit when Apache starts
spawning many processes.  What I'd like to use is some other encryption 
code that is as small as possible, or some other mechanism to prevent a 
user from easily falsifying information in the cookie.  It doesn't have 
to be real secure, it just has to prevent an mischievous user from easily 
faking the data -- a simple character substitution mechanism is probably 
too simple.


Nathan Schrenk
Neoglyphics Media Corp.                    

View raw message