Re: Passing data between frames

[Bear Giles <bgiles () coyotesong com>]

Mark Reardon wrote:
> I use large handles (512 bit or larger) and I encrypt them
> using  a hash of the browser ID and high byte of the source IP
> address. I then place the handle in a cookie. I then add it to 
>  a table, and place the table index into a cookie. The table
>  also has either the information being passed or a pointer to it.

That sounds unnecessarily complex.  Why bother with the 
encryption/decryption cycle?

Hash the browser ID, source IP and some salt.  Put the hash into 
cookie.  The same cookie goes into the database with whatever
information you're tracking, using the hash as your primary key.

When you receive a cookie, recompute the hash from the same values 
and compare.  If they match, retrieve the values from the 
database.  If they don't, you could probably still flush the table 
entry based on the browser ID and source IP, although that may not 
be sufficiently unique.

> To narrow that window, table entries are
> timed (short) and only available once.

Is the uniqueness really required?

If so, you can still easily do this with just hashes.  Use the 
same approach to handle salt values in password files - just 
prepend the sequence number to the hash before encoding it in hex 
or base64 for your cookie.  When you get a cookie, pull the salt 
value and use it to generate the new hash.  The table could/should 
also contain the current sequence number.