Thanks Ozgun, but I'm using Happstack: this will be compatible? On Wed, Feb 27, 2013 at 10:30 PM, Ozgun Ataman <ozataman@gmail.com> wrote:
I would encourage you to take a look at the snap (the web framework) package, where this concern is handled for you as part of the "session" snaplet.
The Snap.Snaplet.Session<http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaplet-Session.html> module and the Snap.Snaplet.Session.Backends.CookieSession<http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaplet-Session-Backends-CookieSession.html> ensure that contents of the cookie-persistent sessions are encrypted and so you can place anything from user ids to other secret information there, although I would certainly keep it to a minimum for size concerns.
Here it is: http://hackage.haskell.org/package/snap
Hope this helps, Oz
On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont < corentin.dupont@gmail.com> wrote:
So I need to "encrypt" the user ID in some way? What I need is to associate the user ID to a random number and store the association is a table?
On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink <hesselink@gmail.com>wrote:
Note that cookies are not the solution here. Cookies are just as user controlled as the url, just less visible. What you need is a session id: a mapping from a non-consecutive, non-guessable, secret token to the user id (which is sequential and thus guessable, and often exposed in urls etc.). It doesn't matter if you then store it in the url or a cookie. Cookies are just more convenient.
Erik
On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont <corentin.dupont@gmail.com> wrote:
Yes, having a cookie to keep track of the session if something I plan to do.
On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala <mats.rauhala@gmail.com> wrote:
The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for verifying the user.
-- Mats Rauhala MasseR
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt =tf0d -----END PGP SIGNATURE-----
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe