[dspillett]

But you are still likely to want to sign the state so you can tell if it has been corrupted (or deliberately doctored) and reject it if so.

[Dylan16807]

Sign or sanity check, whichever you prefer. Personally in a simple interface like this site I'd rather sanity check the few simple parameters.

[wnight]

It's not a druthers kind of thing. If you need to trust that it hasn't been tampered with you must sign it.

And if you don't care you might as well not add authentication because without signing it's just a fancy CRC - ie, totally replicable by an attacker. As cookies and links are sent over TCP there should be vanishingly few errors in transmission - you're far more likely to introduce false positives with buggy code, and ...

You need to sanity check your inputs anyways. Just do it. This is also how you avoid bugs normally.

[Dylan16807]

I'm not sure what your argument is.

Yes if you want to trust it you have to sign it and make sure you implement all the crypto correctly. But I don't see a need for that here.

Also TCP's checksum sucks.

[wnight]

You said "sign or sanity check it", as if you can do whichever you want. But in the area suggested they have vast differences and security implications.

How many corrupted web pages do you see because of CRC failure in TCP?