Re: Encrypt web form values

Why would you want to do such a thing? What can be so secret that even the recipient of the web-page should not be trusted to read it?

If you do not want the data to be known, then just don't send the data. Instead send a cookie and keep the data on your system. The data in the cookie (which can be as simple as a UUID) will be the key to your cookie-vault where the webserver can retrieve it.

And if you want to avoid eavesdroppers, use a secure protocol such as HTTPS, so third parties cannot even intercept the cookie's content and use it in a replay-attack.

Oh yes, and of course use only session cookies and expire them in any case after a short while of no connections.

CountZero

A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

Comment on Re: Encrypt web form values

Replies are listed 'Best First'.
Re^2: Encrypt web form values by Anonymous Monk on Dec 06, 2008 at 01:36 UTC
Thanks, you got me thinking. I need to encrypt certain values so that they can't be modified by the recipient of the web-page (such as downloading the page and modifying the hidden values). These values will be used when the page is submitted for server-side processing. Should I be looking at CGI::Session to store the data? Can the recipient of a web-page manipulate these data for unintended purposes? In order words, can web-form values stored using CGI::Session be reliably used?	[reply]
Re^3: Encrypt web form values by fmerges (Chaplain) on Dec 06, 2008 at 06:56 UTC
Hi, Yes, you should definitely look into CGI::Session. No the user cannot modify it, if you're not allowing it from the server side code. You can store almost whatever you want, and yes it can be reliably used. For storage you have also several options, file, db, cache, etc. Regards, fmerges at irc.freenode.net	[reply]
Re^4: Encrypt web form values by Anonymous Monk on Dec 06, 2008 at 12:44 UTC
Thanks, fmerges. So the recipient of the web page has no way of tampering with the session data, am I right? Could you clarify "if you're not allowing it from the server side code."? What does that mean?	[reply]
Re^5: Encrypt web form values by fmerges (Chaplain) on Dec 06, 2008 at 15:12 UTC
Re^6: Encrypt web form values by Anonymous Monk on Dec 07, 2008 at 02:59 UTC