Re^5: Is this a secure way to prevent cookie tampering

You don't need to put the id in the cookie. It is acceptable to use the sequential integer id as the primary key in the database. Having a longer key is a good idea since it makes it harder to guess. You can send just the key in the cookie, and look that up to find the session.

Comment on Re^5: Is this a secure way to prevent cookie tampering

Replies are listed 'Best First'.
Re^6: Is this a secure way to prevent cookie tampering by exussum0 (Vicar) on Jul 01, 2004 at 02:32 UTC
I hope you mean sequential as in a sequence with hard to predict next values. It's better off to take noise from /dev/urandom or something like taht. Pregenerate the primary keys or something. But don't use a predictible sequence. Otherwise, guessing what someone else's session key is easy. Even if you are encrypting, if the encryption is broken, a random next number is harder to guess. Bart: God, Schmod. I want my monkey-man.	[reply]

Replies are listed 'Best First'.

Re^6: Is this a secure way to prevent cookie tampering
by exussum0 (Vicar) on Jul 01, 2004 at 02:32 UTC

Bart: God, Schmod. I want my monkey-man.

[reply]