|No such thing as a small change|
[OT?] Sanity check... (On MD5, 3DES, Cookies and other animals)by smullis (Pilgrim)
|on Nov 05, 2004 at 17:08 UTC||Need Help??|
smullis has asked for the
wisdom of the Perl Monks concerning the following question:
You guys seem like you know your onions...
Can I ask for a quick sanity check on an idea?
I'm not convinced that this is safe from cookie poisoning (the values of some of the keys would be easy to guess). Also, I would like the mod_perl app to be flexible enough to react to any combination of values with which it is presented (i.e. for values that do not yet exist).
I am thinking that if the ASP system digitally signed the values in the cookie (using its private key) then the mod_perl app could be sure that they originated there and only there and act accordingly.
Is this a valid approach?
Many thanks in advance and apologies for the not-directly-perl-related nature of this post.