[cgiapp] enciphered-cookie-only sessions

Mark Fuller azfuller at gmail.com
Tue Mar 11 11:34:22 EDT 2008

On Tue, Mar 11, 2008 at 8:19 AM, Ricardo SIGNES
<perl.cgiapp at rjbs.manxome.org> wrote:
>  Is your objection just that you don't want me storing anything in your
>  browser's cookie jar that isn't plaintext ...

Yes. I thought I'd said that more than once. A unfortunate perception
exists among many that cookies are bad. IMO encrypting session data
and placing it in a cookie contributes to that perception. It doesn't
mean every usage is bad. But, it can be. The problem being that it's
not transparent for the recipient to make that determination.

I agree with you that worse things could be happening on the backend
(storing credit card numbers in clear text on a loosely secured
network-accessible device).


More information about the cgiapp mailing list