From 14010de608d59cfaf4a25587582fb512403b9c49 Mon Sep 17 00:00:00 2001 From: kka Date: Thu, 9 Aug 2018 11:16:46 +0200 Subject: Improve the cookie encryption documentation --- doc/source/encryption.rst | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'doc/source/encryption.rst') diff --git a/doc/source/encryption.rst b/doc/source/encryption.rst index 5309c46..c617fe3 100644 --- a/doc/source/encryption.rst +++ b/doc/source/encryption.rst @@ -64,14 +64,17 @@ The key is derived from multiple sources, such as : If the simulation mode isn’t specified in the configuration, snuffleupagus will drop any request that it was unable to decrypt. Since PHP doesn't handle session cookie and non-session cookie in the same way, -thus we are providing two different options: +thus we are providing two different ways. - * For the session cookie, the encryption happens server-side: The cookie's value isn't encrypted, only the session content is. - * For the non-session cookie, the value is encrypted. Session cookie .............. +For the session cookie, the encryption happens server-side: Nothing is +encrypted in the cookie: neither the cookie's name (usually ``PHPSESSID``) nor +its content (the session's name). What is in fact encrypted, is the session's +content, on the server (usually stored in ``/tmp/sess_`` files). + :ref:`Session encryption `, disabled by default, will activate transparent session encryption. It can either be ``enabled`` or ``disabled`` and can be used in ``simulation`` mode. @@ -84,6 +87,8 @@ It can either be ``enabled`` or ``disabled`` and can be used in ``simulation`` m Non-session cookie .................. +For the non-session cookie, the cookie's name is left untouched, only its value is encrypted. + :ref:`Cookie encryption `, disabled by default, will activate transparent encryption of specific cookies. It can either be ``enabled`` or ``disabled`` and can be used in ``simulation`` mode. -- cgit v1.3