Re: Is this use of crypt() appropriate?

ichimunki++ from me too. However you can secure a cookie without SSL. See my module that I use for mod_perl to encrypt the contents of a cookie, Apache::Cookie::Encrypted. Very easily done with Crypt::Blowfish and it even has a pure Perl implementation.

I'm most cases. If a user doesn't have the module and has SSH access to their account they usualy can install the module into their workspace. If they don't have access, there usualy is a way to finagle it in if its a pure Perl module. It doesn't hurt to ask the Admin if they would install any modules needed. If they don't want to install it and they cite a good reason for it, fine. If the reason is bad it usualy is a sign of a lazy admin, you're better off taking your business elsewhere.

The others have more than explained the proper use of Crypt.

BMaximus

Comment on Re: Is this use of crypt() appropriate?

Replies are listed 'Best First'.
(ichimunki) re x 2: Is this use of crypt() appropriate? by ichimunki (Priest) on Nov 09, 2001 at 02:48 UTC
Cool module. But I still think it leaves the cookie vulnerable to sniffing, which is all that is needed. If I can replicate your cookie, encrypted or not, I can pass it to the server as if I were you and more likely than not the server will believe everything is fine. That's the reason we have to encrypt the transmission itself and not merely the contents of the cookie. That way an attacker has almost no chance to guess which parts of the transmission are the cookie and re-use them.	[reply]
Re: (ichimunki) re x 2: Is this use of crypt() appropriate? by BMaximus (Chaplain) on Nov 09, 2001 at 06:14 UTC
Good point. But I doubt that a person who is sniffing on the net would get the whole thing. It would take a person being on the same LAN to get the whole cookie with a sniffer. As I was thinking that a way to combat this would be to add the IP address of the computer the cookie is being sent to into the encrypted contents. However something like that would cause a problem with anyone who is using a proxy (like AOL). If I were doing E-Commerce I would most definatly use SSL. Any way of securing a cookie without SSL? Taking an MD5 of the cookie won't do it since the cookie is not changed. Where does being carefull cross over to being overly paranoid? BMaximus	[reply]