encrypt instead of base64 #2
Comments
hrm, i'm not a huge fan of using cookies to send data other than opaque identifiers, due to http overhead and other issues. i think if your app has this kind of need, you're better off using something more durable than a cookie to persist this data. (but i'm all ears if you have reasons why this would be desired...) |
Hmm, I don't follow you. Your data is not by any means opaque by relying on base64 encoding. If you want opaque identifiers, encrypt which is what I'm proposing. Swap out base64 for symmetric encryption. There are an infinite number of reasons to use small-sized (agree with you there) data in cookies that is also completely opaque to the user and anyone else sniffing the traffic. |
ah, okay. my apologies, i misunderstood you. the idea is that the payload, regardless of what it contains, would itself be encrypted? this seems like a good idea, but is a bit above my station... i'm not too familiar with the tradeoffs, but now that node has a pretty robust library for encryption, something like this is much easier. i basically cloned this implementation from tornado. is there a reason why other frameworks don't do this? is it more expensive, for example? jed |
I am unsure to be honest. By default, I imagine most people do not need to encrypt the contents/payload of a cookie. So it is possible just not enabled by default. I've basically talked myself out of this needing to be a default since I can do it myself by encrypting the value for So, feel free to close this! |
okay, i'll close for now, but let's keep it in mind. it's really nice to have a real encryption library now! |
For opaque cookies, use symmetric encrpytion instead of base64 of the cookie value/payload.
One doesn't always want to share the contents of the cookie with the user, even if tampering with the value is detectable by an invalid signature.
I suppose one could encrypt beforehand? Hmm, maybe that is a better idea.
Thoughts?
The text was updated successfully, but these errors were encountered: