in reply to Re: Encrypted Storage of sensible Data in a Cookie
in thread Encrypted Storage of sensible Data in a Cookie

But then I have to store the password plaintext on the server, right? This is not what I wanted.

But thanks for the hint, I just started reading that book and will hopefully gain some insights.

alex pleiner <alex@zeitform.de>
zeitform Internet Dienste

  • Comment on Re: Re: Encrypted Storage of sensible Data in a Cookie

Replies are listed 'Best First'.
Re: Re: Re: Encrypted Storage of sensible Data in a Cookie
by davis (Vicar) on Oct 22, 2001 at 14:16 UTC
    Almost. You're not storing the users' passwords on the server, but the "secret key".

    Here's some actual (old) code: 
            my $secret_key = "BLAHBLAHBLAH";
        my $session_cookie = $query->cookie('SessionID');
        umask 0066;
        if($session_cookie) {
                my $mac;
                if(($sessionid, $mac) = split("-", $session_cookie)) {
                        ###Ok, the user has returned a cookie,
                        ###let's make sure it's not been tampered with
+.
                        if($mac ne md5_hex($sessionid . md5_hex($sessi
+onid.$secret_key))) {
                                destroy_cookie($sessionid, "MODIFIED")
+; ###Ack. Nasty people
                                return;
                        } else {
                ###Other checks.
            }

    [download]
    This way you're not storing the password, you're just making sure the user doesn't modify the data. A reasonable golden rule is: "NEVER trust the data the user hands you".
[reply]
[d/l]

In Section Cool Uses for Perl