Persistent sessions
Ron Garret
ron at flownet.com
Fri Feb 14 18:48:21 UTC 2014
On Feb 14, 2014, at 10:30 AM, peter <p2.edoc at gmail.com> wrote:
> as the session start time is encoded inside the cookie
No, it isn't. The session start time is used as a source of entropy to help make the session cookie secure. But the session cookie is an MD5 hash, and so you can’t get any information out of it.
> i suspect that you are using your model where you make the session-DB
> itself (the alist) persistent.
Yes. Of course.
> i am not allowed to do this
Then you need to change the way that HT generates cookies so that they contain all the information you need in a way that allows you to extract it. Right now they don’t.
(I’m a little surprised that you’re not allowed to do this. I have a hard time imagining how you could write a useful application without being allowed to write to non-volatile storage.)
rg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://mailman.common-lisp.net/pipermail/tbnl-devel/attachments/20140214/29a68f62/attachment.sig>
More information about the Tbnl-devel
mailing list