Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

not sure if that was the point or not, but it's wrong. even if you did sign/encrypt, that's not a benefit over a standard cookie. you can easily sign or encrypt a 'standard cookie' as well.

the benefit is the portability that comes from a standardized and widely used data structure.



You say that as if cookies haven't been a standardized and widely used data structure (key-value store) for decades.


No, they say it as if cookies don’t have a built in authentication or encryption method (when the client is untrusted).


My point was that allowing 'None' was/is a flaw. If you want to shuttle bits of data about in an unsigned/unencrypted/insecure way, that's what raw cookies are for.

Now, as cookies are buckets to dump data, there is of course nothing to stop you encrypting, signing and doing all sorts of things to cookies.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: