Come for the quick hacks, stay for the epiphanies. | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
My take on the best method of security is context. I reckon one of the better methods is similar to what you suggest.
IMO there is no need to use crypto, save for md5, or sha1, which you could use to generate the sess_id, (seeded by the pid, time, rand and username perhaps). If you're going to have a high transaction site, you may as well use md5 (or sha1) because, its easy, and the chance of a collision is amazingly small. There are of course prebuilt things out there, however, I chose to write my own because it was fun and taught me a lot. For added security, add a dash of https, and run your sessions over it. Check out this node for a thread on sessions management without cookies, and here for a bit of light reading on secure session management.In reply to Re: Secure State Maintenance
by Ryszard
|
|