Posted by ast3r3x on 05/23/07 20:37

I'm trying to implement the protocol used at
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf to
create cookies that can't be forged. I got everything working, except
I have run into one problem:

I don't know how to get the session key used for the encryption. I'm
completely new to SSL and I just installed it on my server, and got it
all set up that it works using http://mydomain.com. So that said, to
my understanding, using public/private key encryption, the server and
client negotiate a key to encrypt data with from that point on, and
that this doesn't change for a client, but it unique for every client.

It seems like that cookie protocol requires that you get that session
key and store it in the cookie to verify that the cookie hasn't been
stolen.

I guess my question is really that I just want to make sure I am
understanding what they mean by session key properly, and how you
would get it. I figured I should have access to it since I am the
server.

-Dustin

[Back to original message]