|
|
|
|
|
|
by acveilleux
4425 days ago
|
|
|
Well, the cookie should not contain anything computable by the user. You could use an encrypted cookie to store session information to save a round-trip to the DB. In that case it should be impossible for the user to derive the key or modify without detection (so HMAC-SHA256, GCM, Poly1305 or whatever authentication mode is fashinable/applicable.) |
|
|