* Mark Fuller <suppressed> [2008-03-10T09:06:30]
> On Mon, Mar 10, 2008 at 3:56 AM, Ricardo SIGNES
> <suppressed> wrote:
> > stores your whole session in the cookie. It's stored as a base64-encoded,
> > Rijndael-enciphered, JSON-encoded string. This seemed like a swell idea
> > for me,
>
> I hear a lot about brute-force attacks on encryption. Also, that what
> seemed like a terrific amount of brute force 5-10 years ago isn't
> today. Is that a concern (if someone steals cookies)?
I think the amount of brute force required would still be pretty darn brutal.
I wouldn't use this for anything like banking or credit cards, but I feel
pretty okay about it for things like a Rubric login.
Probably what I'll do in the (near) future is have an n-day log of secrets,
generated daily. The cookie will then be like
{ generated: yyyymmdd, cookie: ciphertext }
You'll have to crack the secret within n days, which makes it even more
tedious.
Anyway, like I said, and like others say, this isn't for everyone or
everything.
--
rjbs
##### CGI::Application community mailing list ################
## ##
## To unsubscribe, or change your message delivery options, ##
## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ##
## ##
## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ##
## Wiki: http://cgiapp.erlbaum.net/ ##
## ##
################################################################
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.