in reply to Re: Security
in thread Security

I agree that cookies aren't the best way to do security. However. . .

If you create your cookies using random data and with a one-way hash like MD5, and then store the cookies you create in a server-side database, then the cookie manufacturing becomes very difficult. You can send your manufactured cookies 'til the blue cows come home, but until one matches what's stored in the database, it's all for naught.

Just my $.02. . .

Update: Copying a cookie is different than manufacturing one. . .See below. . .

Replies are listed 'Best First'.
Re: Re: Re: Security
by blue_cowdawg (Monsignor) on May 23, 2001 at 21:22 UTC

    If I copy a cookie from someone's browser (small amount of handwaving here on how I get it in the first place) then it doesn't really matter how I encode it unless I am using some sort of Diffie-Hellman pair. I'd still be stealing someone's identity.

    Unless there is some sort of challenge/response happening where the user has to perform some active function such as type in a password, use a smart card, or whatever using a client side cookie is just asking for trouble. 

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Peter L. Berghold --- Peter@Berghold.Net
"Those who fail to learn from history are condemned to repeat it."
[reply]

In Section Seekers of Perl Wisdom