Hacker Newsnew | comments | show | ask | jobs | submit login

Yes, you could use an HMAC for this, however you need to keep the private key, well... private, which in practice is not easy. If the server is compromised, an attacker could steal the secret key and use it to generate signed cookies for any user. This method is also subject to reply attacks for the duration of the token's validity, though that is less relevant with SSL.

Whereas if only token hashes are stored in the database, then the entire database could be stolen and nobody can use it to generate valid cookies.

EDIT: Also, if an account goes rogue you have no way to invalidate its cookies, so you'll have to do a lookup for each request to see if the account is blocked.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: