Comments on: Sessionless Sessions http://stut.net/2008/07/26/sessionless-sessions-2/ Ramblings of a random software engineer Thu, 15 Jul 2010 15:56:21 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Information on Cookies | keyongtech http://stut.net/2008/07/26/sessionless-sessions-2/comment-page-1/#comment-8215 Information on Cookies | keyongtech Sun, 18 Jan 2009 16:23:48 +0000 http://stut.net/blog/?p=227#comment-8215 [...] prevent cookie forging or what not. You can encrypt or hash the cookies to prevent tampering... http://stut.net/blog/2008/07/26/sessionless-sessions-2/ -Stut -- [...] [...] prevent cookie forging or what not. You can encrypt or hash the cookies to prevent tampering… http://stut.net/blog/2008/07/26/sessionless-sessions-2/ -Stut — [...]

]]> By: Stut http://stut.net/2008/07/26/sessionless-sessions-2/comment-page-1/#comment-6460 Stut Mon, 13 Oct 2008 09:30:26 +0000 http://stut.net/blog/?p=227#comment-6460 Thanks for your comment Steve. The decrypted value gets verified by the unserialize function. If it cannot be unserialized it will return false, which will cause the next check to fail and will return a failure to the caller. Thanks for your comment Steve. The decrypted value gets verified by the unserialize function. If it cannot be unserialized it will return false, which will cause the next check to fail and will return a failure to the caller.

]]> By: Steve Clay http://stut.net/2008/07/26/sessionless-sessions-2/comment-page-1/#comment-6449 Steve Clay Sun, 12 Oct 2008 21:29:16 +0000 http://stut.net/blog/?p=227#comment-6449 I had a <a href="http://code.google.com/p/mrclay/source/browse/trunk/php/MrClay/CookieStorage.php" rel="nofollow">cookie storage class</a> that hashes the contents with a key to ensure no tampering. Great for the same principle: storing a little insensitive session data w/o needing server-side files. Thanks to your post I added a encrypted mode. Some <a href="http://code.google.com/p/mrclay/source/browse/trunk/php/MrClay/CookieStorage/" rel="nofollow">usage code here</a>. One thing I noticed about the decryption is there's no verification built-in; you just get garbage back if the key/data was mangled. So I had to prepend a hash of the key and verify it on the other side. I had a cookie storage class that hashes the contents with a key to ensure no tampering. Great for the same principle: storing a little insensitive session data w/o needing server-side files.
Thanks to your post I added a encrypted mode. Some usage code here.

One thing I noticed about the decryption is there’s no verification built-in; you just get garbage back if the key/data was mangled. So I had to prepend a hash of the key and verify it on the other side.

]]>