|
|
|
|
|
|
by santadays
5189 days ago
|
|
|
I might be wrong here but I think it prevents against a user tampering their own cookie. Say I store User_Id:5 in a cookie and pass it over an ssl connection. The user can still change from User_Id:5 to User_Id:6 and get user 6's account info. Typically you would have to store a non guessable token instead to avoid this. I think by encrypting the cookie you provide the non-guessable part of the equation without having to think about it. This isn't really a benefit from a security standpoint (as in it doesn't provide more security), but it is convenient. Could be wrong here, I'm not very familiar with Yesod. |
|
|
the encryption prevents reading (and thereby also -- to some extend -- but not specifically tinkering/tampering)