I don't see the point of having a digital signature in a cookie under normal circumstances. Granted, you can verify the signature to ensure that the server signed the cookie. But, most often, the only purpose of the cookie is to point to a persistent file on the server. If the files are named randomly and the users can't get a list of the names of the files, they can't just make up cookie values anyway.
If you need to sign the cookies because you are going to store actual data in the cookie itself, instead of having the cookie point to a file on the server that contains the data, then you will need to sign them. But that's not commonly done. Would it matter to you that the users can just delete the cookies?
A digital signature is just a hash digest (sha1 or md5 usually) that has been encrypted. Cpan has lots of hash and encryption packages. I'm partial to OpenSSL, which seems to have a fairly large user base, so I would try the Crypt::OpenSSL::* modules first.
Good luck. You will need it. Remember that cryptography has a long sad history of systems that went into production and were then found to be startlingly weak due to minute flaws in the design. There is no substitute for careful design, and also no substitute for adequate peer review.
In reply to Re: Digitally Signed Cookie
by quester
in thread Digitally Signed Cookie
by toronto75
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |