[TYPO3-mvc] encrypd cookies in TYPO3
Helmut Hummel
helmut.hummel at typo3.org
Tue Dec 23 00:30:56 CET 2014
Hi Chris,
Am 22.12.14 um 10:33 schrieb Chris Wolff - AERTiCKET AG:
> If cookie encryption makes sense depends on your session Handling Strategie.
Cookies do not necessarily have something to do with session handling.
> Cookie encryption makes only sense to "protect" you against manipulation of cookie data.
Which makes sense, doesn't it? Don't know why you put protect in quotes.
This might even make sense for a session ID because the application can
validate if it was the issuer of the cookie, in case you want to avoid
session fixation.
As a bonus, nobody could even read the content of a cookie.
> It does NOT protect you from cookie stealing an cookie Reuse.
Sure. Thanks for pointing that out.
Kind regards,
Helmut
--
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 CMS Active Contributor, TYPO3 Security Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-typo3v4mvc
mailing list