dreamer2014520 2018-08-20 08:57 采纳率: 0%
浏览 133
已采纳

基于cookie的会话管理中的身份验证和加密密钥

My query comes from trying to use session store for eg. RedisStore in Golang where the store takes a vararg as last argument which as per document are pairs of authentication and encryption keys.

Most of the examples I see just use a single argument here (for eg. "secret", "mysecret" etc.) and I couldn't get any information about what is achieved by sending multiple pairs of authentication and encryption keys.

Could someone please explain more or direct me to some information about the purpose of the authentication and encryption keys in session management using cookies.

  • 写回答

1条回答 默认 最新

  • du958642589 2018-08-20 10:27
    关注

    From the docs:

    Keys are defined in pairs to allow key rotation, but the common case is to set a single authentication key and optionally an encryption key.

    The first pair is used for authentication, encryption and decryption, all other pairs are only used for authentication and decryption (but not encryption).

    This is a very common strategy for key rotation. A new key pair is generated regularly and becomes the new key for encryption. Some or all other keys are kept around so that existing data can still be decrypted for some time. The oldest key can be discarded eventually. This limits the impact of a disclosed key because it becomes useless after some time.

    Other software that uses this method:

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 求京东批量付款能替代天诚
  • ¥15 slaris 系统断电后,重新开机后一直自动重启
  • ¥15 51寻迹小车定点寻迹
  • ¥15 谁能帮我看看这拒稿理由啥意思啊阿啊
  • ¥15 关于vue2中methods使用call修改this指向的问题
  • ¥15 idea自动补全键位冲突
  • ¥15 请教一下写代码,代码好难
  • ¥15 iis10中如何阻止别人网站重定向到我的网站
  • ¥15 滑块验证码移动速度不一致问题
  • ¥15 Utunbu中vscode下cern root工作台中写的程序root的头文件无法包含