Securing 'pickle'

[Alan Kennedy]

Paul Rubin wrote:

> My suggestion is to
> authenticate the cookies with a cryptographic checksum and verify the
> authentication before deserializing the cookies.  That's probably the
> simplest approach.  Keeping session info on a multi-process server (or
> worse, a multi-server network) needs some kind of concurrent storage
> mechanism.  

Paul,

Do you mean transmit the checksum to the client with the cookie? And
check that they match when the cookie and checksum come back?

Or is the checksum stored on the server, in some form of lookup
dictionary keyed by some user session identifier?

regards,

-- 
alan kennedy
-----------------------------------------------------
check http headers here: http://xhaus.com/headers
email alan:              http://xhaus.com/mailto/alan