perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Chudov <ichu...@gmail.com>
Subject Re: Updating cookies in header during request processing
Date Fri, 18 Sep 2009 16:33:34 GMT
Hi Randal, nice to see you. Your suggestion is where I am coming FROM: right
now the cookie is only a key into the mysql table which holds session data.

What I want  is to stop using that table altogether and let the browser hold
the information, in a manner that is straightforward, flexible and secure.

Igor

On Fri, Sep 18, 2009 at 9:33 AM, Randal L. Schwartz
<merlyn@stonehenge.com>wrote:

> >>>>> "Igor" == Igor Chudov <ichudov@gmail.com> writes:
>
> Igor> I was very excited by the suggestion to use cookies to store the
> entire
> Igor> session information, and to keep it safe by means of base64 encoding
> and
> Igor> MD5 hash with a secret salt, for storing session information securely
> on
> Igor> the client.
>
> Ahh, phase 2 of cookie awareness.  When you get to phase 3, you realize
> that
> cookies should really just be used to distinguish one browser from another,
> and hold everything server-side instead for far better security and
> flexibility.  (Remember, server-side could be something as simple as
> DBM::Deep, which is a single-file zero-install module that gives you
> arbitrary persistent Perl data structures efficiently.)
>
> See my (slightly aged but still valid) write-up of this at:
>
>  http://www.stonehenge.com/merlyn/WebTechniques/col61.html
>
> --
> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
> <merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
> See http://methodsandmessages.vox.com/ for Smalltalk and Seaside
> discussion
>

Mime
View raw message