[Haskell-cafe] ANN: Nomyx 0.1 beta, the game where you can change the rules
Ozgun Ataman
ozataman at gmail.com
Wed Feb 27 22:30:52 CET 2013
I would encourage you to take a look at the snap (the web framework)
package, where this concern is handled for you as part of the "session"
snaplet.
The Snap.Snaplet.Session<http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaplet-Session.html>
module
and the Snap.Snaplet.Session.Backends.CookieSession<http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaplet-Session-Backends-CookieSession.html>
ensure
that contents of the cookie-persistent sessions are encrypted and so you
can place anything from user ids to other secret information there,
although I would certainly keep it to a minimum for size concerns.
Here it is: http://hackage.haskell.org/package/snap
Hope this helps,
Oz
On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont
<corentin.dupont at gmail.com>wrote:
> So I need to "encrypt" the user ID in some way? What I need is to
> associate the user ID to a random number and store the association is a
> table?
>
>
> On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink <hesselink at gmail.com>wrote:
>
>> Note that cookies are not the solution here. Cookies are just as user
>> controlled as the url, just less visible. What you need is a session
>> id: a mapping from a non-consecutive, non-guessable, secret token to
>> the user id (which is sequential and thus guessable, and often exposed
>> in urls etc.). It doesn't matter if you then store it in the url or a
>> cookie. Cookies are just more convenient.
>>
>> Erik
>>
>> On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont
>> <corentin.dupont at gmail.com> wrote:
>> > Yes, having a cookie to keep track of the session if something I plan
>> to do.
>> >
>> > On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala <mats.rauhala at gmail.com>
>> > wrote:
>> >>
>> >> The user id is not necessarily the problem, but rather that you can
>> >> impose as another user. For this, one solution is to keep track of a
>> >> unique (changing) user token in the cookies and use that for verifying
>> >> the user.
>> >>
>> >> --
>> >> Mats Rauhala
>> >> MasseR
>> >>
>> >> -----BEGIN PGP SIGNATURE-----
>> >> Version: GnuPG v1.4.10 (GNU/Linux)
>> >>
>> >> iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql
>> >> tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt
>> >> =tf0d
>> >> -----END PGP SIGNATURE-----
>> >>
>> >>
>> >> _______________________________________________
>> >> Haskell-Cafe mailing list
>> >> Haskell-Cafe at haskell.org
>> >> http://www.haskell.org/mailman/listinfo/haskell-cafe
>> >>
>> >
>> >
>> > _______________________________________________
>> > Haskell-Cafe mailing list
>> > Haskell-Cafe at haskell.org
>> > http://www.haskell.org/mailman/listinfo/haskell-cafe
>> >
>>
>
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130227/ef8c56f4/attachment.htm>
More information about the Haskell-Cafe
mailing list