| Re: Best practice, (secure), to save session data? [message #178405 is a reply to message #178402] |
Thu, 14 June 2012 12:52   |
Chris Davies
Messages: 6
Registered: June 2012
Karma:
|
Junior Member |
|
|
Simon <bad(at)example(dot)com> wrote:
> the way I see it, if they can get the session cookie then they can
> just as well access the base64_encoded data anyway.
Almost.
1. If you put the data in the session cookie as base64 then it can be
decoded and viewed any time someone likes. No security.
2. If you encrypt the data into the cookie using a secret known only to
the website then at least someone has to go to the bother of trying to
brute force the data string, but they have as much time as they like to
do so. Password security.
3. If you put a session key in the cookie with, say, a 4 hour timeout on
the webserver side where the real data is stored, then after the timeout
has expired the session key is useless to anyone trying to obtain your
client's data. Time security.
You have to trade off password-based vs time-based security. Generally
#3 is the preferred solution.
Chris
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]