On Tue, Nov 9, 2010 at 2:10 PM, Adam Richardson <simpleshot@xxxxxxxxx> wrote: >> >> If the cookie needs to be encrypted, why not just encrypt it and worry less >> about the transport layer? Or just down one hash value id cookie and pull >> back the secure data for action just on the server? >> >> Bastien > > > The issue highlighted in Yannick's question wouldn't be resolved by merely > encrypting the cookie value. > > Encrypting a cookie value protects the value encrypted, and for some > situations this is exactly what you want. Maybe you're storing preferences > for your app, but want to make sure they aren't tampered with, etc. > > However, encrypting a cookie that's used as an auth token won't buy you > anything if the transport layer doesn't provide encryption. That's because > an auth token mere presence works to sufficiently identify an authenticated > user. I don't have to know what the value in the cookie means in any way. > > Does this help clear up your question, or did I misunderstand you, Bastien? > > Adam > > -- > Nephtali: PHP web framework that functions beautifully > http://nephtaliproject.com > Nope, makes sense, Adam. Thanks, -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
