| Re: Best practice, (secure), to save session data? [message #178455 is a reply to message #178453] |
Tue, 19 June 2012 06:37   |
Arno Welzel
Messages: 317
Registered: October 2011
Karma:
|
Senior Member |
|
|
Chris Davies, 19.06.2012 00:12:
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>> Yes, and my point was - you don't NEED access to the encrypted data.
>> All you need to do is send a copy of the cookie itself to log in.
>
> At no point until my most recent did I suggest this cookie might even
> provide an authentication service. In the scenario as described it
> contains (encrypted) information, not an authentication token.
Maybe you missed the point in the OP:
"The users have 2 choices, either we 'remember' the user after they
close their browsers or not, (for up to 30 days).
We create a unique cookie id and we store/retreive the data based on
that unique id."
And "remembering a user for up to 30 days" means "if a cookie is set,
the user does not have to log in" to me.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]