Re: If you do away with server-side state, you don't need cookies
by mpeters (Chaplain) on Jul 05, 2005 at 16:48 UTC
|
| [reply] |
|
Whether you send the data to the client as a hidden field in a form, or as a cookie it's basically the same thing.
Not really. The complete-state-in-a-form method allows for easy session forking. It also allows users to undo state transitions by backing up into the browser history. Cookies don't support either of these.
Cheers, Tom
| [reply] |
|
Not really. The complete-state-in-a-form method allows for easy session forking. It also allows users to undo state transitions by backing up into the browser history. Cookies don't support either of these.
Session forking isn't that hard with IDs (whether cookie or URL based). Just have the ID index into a tree of state transitions on the server side. It's something I've done on several sites (and I've a vague memory that somebody has implemented a CPAN module that makes doing this fairly simple, but am to lazy to go find it :-)
Keeping the state server side can be handy, and having a small ID means I can stick it in a URL and have a more RESTful bookmarkable API.
| [reply] |
Re: Eliminate server-side state to obviate cookies
by hardburn (Abbot) on Jul 05, 2005 at 16:55 UTC
|
This sounds horribly insecure to me. How do you stop the client from changing the state into one it shouldn't.
I think I'll keep cookies with a randomly-generated ID crossreferenced to a database.
"There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.
| [reply] |
|
How do you stop the client from changing the state into one it shouldn't?
It's easy: cryptographically sign the state.
| [reply] |
|
Then you switch from needing to store a session ID in a database to needing to store and manage a private key. Not only that, but I can't imagine the ending size being less than the 160-bits needed for SHA1 (or 256 or 512 bits, if you want more secure hashes).
I'll continue looking for a solution that's better than cookies + secure ID + database.
"There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.
| [reply] |
|
|
| [reply] [d/l] |
|
People who talk about using one-time pads in practice are generally either military or idiots.
It takes a lot of work to generate (and in many cases to communicate) a one-time pad. Any reuse of data (or use of low-entropy random number generators) ruins the entire concept entirely, resulting in something that cryptographers assure me is easily broken. The required effort is fine for the military. But very few commercial applications find it feasible.
| [reply] |
|
|
| [reply] |