undefined | Better HN

0 pointslifeisstillgood12y ago0 comments

No I wrote a library that stored a UUID as a cookie, then wrote that as a keypair with the user details to a backend dbase.

No crypto, just a lookup. Yes it introduces latency. But it is as secure as my servers are.

0 comments

1 comments · 1 top-level

irahul12y ago

Session id in a secured cookie and then loading the session from db/memcache/ram/custom-backend is standard practice and is something that is provided by most frameworks. What exactly did you gain by using a non-signed cookie other than opening yourself to replay attacks? If you felt like directly setting a cookie instead of just `session['user_id'] = some-user-id`, why did you forgo signed cookies?

j / k navigate · click thread line to collapse