[sf-perl] Secure Cookies outside of catalyst?

yary not.com at gmail.com
Sat Dec 4 11:24:44 PST 2010


If you want to prevent end-user tampering (and not third-party
eavesdropping), you don't need the "secure" flag- which will only send
the cookie over https- or the "httponly" flag- which will prevent
javascript from reading the cookie. To make it tamper-resistant all
you need to do one of two things:

1. encrypt the cookie's data before sending it to the browser and
decrypt on the way back.
2. Generate a large random identifier that you use to look up the session data.

-y


More information about the SanFrancisco-pm mailing list