Re: Encrypted URL

[Michael Ströder <michael () stroeder com>]

Stephen de Vries wrote:
> It looks like what you're attempting to do is to send data from the server
> to the client, and ensure that the client sends the same data back.  But
> you already know what the values are before sending them to the client,
> and you can read the values sent back from the client, so why sign the
> values, when you can just compare them before and after the post?
> Why jump through hoops trying to send static data to the client, when you
> can store and control everything on the server side?

For most web apps it's not necessary to sign data to send it to the client 
and get it back. As you pointed out the web app already knows the data and 
therefore proper session management is sufficient.

But as Jeff Williams already mentioned it does make sense in a 
load-balancing architecture. Or I'd add it's useful when doing cross-site 
single sign-on, either Cookie- or URL-based. But the key management in such 
a situation is very tricky: PKI comes to mind...

Ciao, Michael.