[sf-perl] Secure Cookies outside of catalyst?
yary
not.com at gmail.com
Sat Dec 4 11:24:44 PST 2010
If you want to prevent end-user tampering (and not third-party
eavesdropping), you don't need the "secure" flag- which will only send
the cookie over https- or the "httponly" flag- which will prevent
javascript from reading the cookie. To make it tamper-resistant all
you need to do one of two things:
1. encrypt the cookie's data before sending it to the browser and
decrypt on the way back.
2. Generate a large random identifier that you use to look up the session data.
-y
More information about the SanFrancisco-pm
mailing list