[Haskell-cafe] ANN: Nomyx 0.1 beta, the game where you can change the rules
Ozgun Ataman
ozataman at gmail.com
Wed Feb 27 22:55:36 CET 2013
You probably can't use it directly but it should at least show you how we did it. In particular, the Snap.Snaplet.Session.SecureCookie module (internal, I think, so look at source) may be of interest to you as it implements the self-contained idea of encrypted cookies.
- Oz
On Wednesday, February 27, 2013 at 4:43 PM, Corentin Dupont wrote:
> Thanks Ozgun,
> but I'm using Happstack: this will be compatible?
>
> On Wed, Feb 27, 2013 at 10:30 PM, Ozgun Ataman <ozataman at gmail.com (mailto:ozataman at gmail.com)> wrote:
> > I would encourage you to take a look at the snap (the web framework) package, where this concern is handled for you as part of the "session" snaplet.
> >
> > The Snap.Snaplet.Session (http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaplet-Session.html) module and the Snap.Snaplet.Session.Backends.CookieSession (http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaplet-Session-Backends-CookieSession.html) ensure that contents of the cookie-persistent sessions are encrypted and so you can place anything from user ids to other secret information there, although I would certainly keep it to a minimum for size concerns.
> >
> > Here it is: http://hackage.haskell.org/package/snap
> >
> > Hope this helps,
> > Oz
> >
> >
> > On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont <corentin.dupont at gmail.com (mailto:corentin.dupont at gmail.com)> wrote:
> > > So I need to "encrypt" the user ID in some way? What I need is to associate the user ID to a random number and store the association is a table?
> > >
> > >
> > > On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink <hesselink at gmail.com (mailto:hesselink at gmail.com)> wrote:
> > > > Note that cookies are not the solution here. Cookies are just as user
> > > > controlled as the url, just less visible. What you need is a session
> > > > id: a mapping from a non-consecutive, non-guessable, secret token to
> > > > the user id (which is sequential and thus guessable, and often exposed
> > > > in urls etc.). It doesn't matter if you then store it in the url or a
> > > > cookie. Cookies are just more convenient.
> > > >
> > > > Erik
> > > >
> > > > On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont
> > > > <corentin.dupont at gmail.com (mailto:corentin.dupont at gmail.com)> wrote:
> > > > > Yes, having a cookie to keep track of the session if something I plan to do.
> > > > >
> > > > > On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala <mats.rauhala at gmail.com (mailto:mats.rauhala at gmail.com)>
> > > > > wrote:
> > > > >>
> > > > >> The user id is not necessarily the problem, but rather that you can
> > > > >> impose as another user. For this, one solution is to keep track of a
> > > > >> unique (changing) user token in the cookies and use that for verifying
> > > > >> the user.
> > > > >>
> > > > >> --
> > > > >> Mats Rauhala
> > > > >> MasseR
> > > > >>
> > > > >> -----BEGIN PGP SIGNATURE-----
> > > > >> Version: GnuPG v1.4.10 (GNU/Linux)
> > > > >>
> > > > >> iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql
> > > > >> tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt
> > > > >> =tf0d
> > > > >> -----END PGP SIGNATURE-----
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Haskell-Cafe mailing list
> > > > >> Haskell-Cafe at haskell.org (mailto:Haskell-Cafe at haskell.org)
> > > > >> http://www.haskell.org/mailman/listinfo/haskell-cafe
> > > > >>
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Haskell-Cafe mailing list
> > > > > Haskell-Cafe at haskell.org (mailto:Haskell-Cafe at haskell.org)
> > > > > http://www.haskell.org/mailman/listinfo/haskell-cafe
> > > > >
> > >
> > >
> > > _______________________________________________
> > > Haskell-Cafe mailing list
> > > Haskell-Cafe at haskell.org (mailto:Haskell-Cafe at haskell.org)
> > > http://www.haskell.org/mailman/listinfo/haskell-cafe
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130227/66c90858/attachment.htm>
More information about the Haskell-Cafe
mailing list