Posted by Chung Leong on 12/18/77 11:50

veg_all@yahoo.com wrote:
> Chung Leong wrote:
> > If someone breaks into your server they'll be able to find the key.
> > Obviously it has to be sitting somewhere.
>
> Actually I manually encrypt everything when a client first starts.
> After
> that they just use a cookie to send the key. So I dont store it
> anywhere
> on the server.

Hmmm...That might kind of work for protecting transcient data. Then
again, I presume that you're generating the key using one of the random
functions in PHP. Knowing the time when the key is generated (from the
server log) and the process id, an attacker would be able to narrow the
range of possible keys considerably. We're assuming here the server is
properly set up and the attacker only has access to the web server
account.

[Back to original message]