One of the no-no's in web based applications is storing user data on the client, encrypted or not. The reason for this is you have no control over the information once it has passed to the client.
For example, if you are writing an applicaiton and send a session id to the client that is a two way operation, someone could sniff the packets, grab the information and reverse it. Once they have reversed it they may hijack the session. What you dont know are the resources your attacker has (They may have a cluster of E15k's at their disposal).
If you use a what is considered a one way function (such as MD5 or SHA-1) it is relatively impossible for an attacker to derive the meaning of your id. If you then store your generated sess_id along side your user_id at the server, you have complete control over the information. Identifying the user is as simple as looking the sess_id up in a database.
OTHO if your attacker has a cluster of E15k's you've got a bigger problem on your hands.. ;-)
In reply to Secure Session management (was Crypt::DES returns same string)
by Ryszard
in thread Crypt::DES returns same string
by learn_forever
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |