Re: Storing a user in a cookie
Re: Storing a user in a cookie
- Subject: Re: Storing a user in a cookie
- From: Jesse Tayler <email@hidden>
- Date: Wed, 20 Feb 2013 12:08:09 -0500
you're only going to compare one resulted cypher to another resulted cypher you have stored -- knowing they calculate to the same result and are the same/correct is enough to ensure people haven't just made up a cookie and you'd never reveal a cookie that would be useful.
On Feb 20, 2013, at 12:02 PM, Pascal Robert <email@hidden> wrote:
> What would you use for storing details about an user in a cookie for stateless apps (e.g., in a "keep me logged" situation)? I see two solutions:
>
> - Using BlowFish to encrypt the username in the cookie, and to decrypt the value of the cookie to see who is the user;
>
> - Encrypting the username with BCrypt, storing the encrypted username in the database and in the cookie, and doing a comparison.
>
> Opinions? The only problem I see with the first one is that if someone find the cipher key, you're toast, but at the same time, if they find it, it's probably because it was stored in the file system or in a SCM, so if they found it, you will probably have other problems too.
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden