Securely storing session data

friedo has asked for the wisdom of the Perl Monks concerning the following question:

I'm thinking of writing a CGI::Session driver that works like CGI::Session::Driver::file, except that it stores the data encrypted with a symetric key. The key itself would be stored in the cookie. This would make it difficult (though by no means impossible) for a person with access to the session files to decipher them. I'm not looking for ironclad security here; just something that would deter a casual peak. Is this a good idea, or (even better) does something like this exist already on CPAN?

Comment on Securely storing session data

Replies are listed 'Best First'.
Re: Securely storing session data by zentara (Cardinal) on Mar 18, 2006 at 12:14 UTC
You might find this useful Is this a secure way to prevent cookie tampering A simpler method, would be to use RC4(small, fast, no module needed) then base64 encode it. I'm not really a human, but I play one on earth. flash japh	[reply]
Re: Securely storing session data by spiritway (Vicar) on Mar 18, 2006 at 21:08 UTC
Instead of storing the key in the cookie (this seems risky), what about storing the key on the server, and using the cookie (with a globally unique ID) to retrieve the key?	[reply]
Re: Securely storing session data by Anonymous Monk on Mar 18, 2006 at 10:57 UTC
Of course this should work, you should use one time passwords for it.	[reply]