tedd wrote:
Nice article.
Thanks.
I question the reason why you would want to encrypt the cookie
considering that before the user is going to be provided access to
sensitive data that you require a password confirmation. The encryption
seems to be an unnecessary overkill.
So what if a malicious user uses a cookie to pretend to be a real user
IF before they can get access to sensitive data they have to enter a
correct password?
Please explain.
Certainly. It's not about them getting access to the data in that
cookie, it's got more to do with ensuring the cookie contents remain
unchanged.
While it's true that the "remember me" cookie could live with not being
encrypted I would then need to validate the data it contains. By
encrypting it I know that if it decrypts successfully it's exactly what
the site put in it at the end of the last request.
For some sites this would not be an issue but due to some of the ways we
use the data in that cookie I decided the cost of encrypting it against
the cost of validating it and the risks involved made encryption the
better option.
There is another reason... Cookies are sometimes stored in plain text on
the users machine. Since that cookie contains an email address and
potentially a phone number it's much better to encrypt it and protect
our users.
Hope that answers your question.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
