Posted by shimmyshack on 05/24/07 00:58

On May 23, 9:37 pm, ast3...@gmail.com wrote:
> I'm trying to implement the protocol used athttp://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdfto
> create cookies that can't be forged. I got everything working, except
> I have run into one problem:
>
> I don't know how to get the session key used for the encryption. I'm
> completely new to SSL and I just installed it on my server, and got it
> all set up that it works usinghttp://mydomain.com. So that said, to
> my understanding, using public/private key encryption, the server and
> client negotiate a key to encrypt data with from that point on, and
> that this doesn't change for a client, but it unique for every client.
>
> It seems like that cookie protocol requires that you get that session
> key and store it in the cookie to verify that the cookie hasn't been
> stolen.
>
> I guess my question is really that I just want to make sure I am
> understanding what they mean by session key properly, and how you
> would get it. I figured I should have access to it since I am the
> server.
>
> -Dustin

it's not the SSL symmetric key, its the php session key, the PHPSESSID

[Back to original message]