Change encryption to CTR mode and use better signature

Created on 16 October 2009, over 15 years ago

Updated 15 May 2025, 2 days ago

The bakery module seems to add a signature to the cookie based on parts of the user data. I'm not sure I follow why you bother with such as a signature. The hash is created with the same encryption key as the cookie is encrypted with, so if you can encrypt cookies you can also create the hash correctly, so it doesn't add any security if my understanding is correct.

Should the signature just be removed and to save some CPU cycles?

📌 Task

Status

Closed: outdated

Version

2.0

Component

Code

Created by

🇬🇧United Kingdom steven jones

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 2 days ago →
🇦🇺Australia purencool
Comment about 8 hours ago →
🇮🇹Italy apaderno Brescia, 🇮🇹
The code is still using the ECB mode, so it should be changed.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024